February 13, 2009 11:46 AM PST

Twitter fends off second clickjacking attack

by Elinor Mills
  • Font size
  • Print
  • 2 comments

Twitter fended off a second clickjacking attack on Thursday night as the popular microblogging site plays cat-and-mouse with a prankster, the site confirmed on Friday.

"Yes, there was a second approach later in the day, same story as the first but with a slightly modified technique," Twitter co-founder Biz Stone wrote in an e-mail. "We took care of that too. Every day we're finding ways to improve the system."

(Credit: CNET Networks)

"It's a convoluted cat-and-mouse game," Jeremiah Grossman, chief technology officer of WhiteHat Security, said earlier on Friday. "At least for the moment, Twitter is winning."

Twitter users first noticed the clickjacking prank on Thursday and later that day Twitter had shut it down. Tweets were popping up that said "Don't Click" followed by a link. Clicking the link took the user to a page that included a button that said "Don't Click." Clicking the button automatically distributed the identical tweet. As you can imagine, this spread pretty quickly.

Later on Thursday, the tweets started appearing again after someone figured out a way around Twitter's fix, said Grossman.

Basically, the clickjacking page with the "Don't Click" button on it has an invisible frame with a Twitter status update button superimposed over it, he said. Twitter's original fix wiped a page clean if it detected a frame on its pages, but then someone circumvented that and Twitter was forced to come up with another fix, according to Grossman.

The clickjacking is likely a harmless experiment, but it could be used for malicious purposes in the future, Grossman said.

Firefox users can download a no-script extension to protect against clickjacking but current versions of Internet Explorer do not offer protection, although IE 8 will, he said.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

Vulnerabilities & attacks

Tags:

Twitter,

security,

virus,

clickjacking

Share:
Digg
Del.icio.us
Reddit
Recent posts from Security
Q&A: Researcher Karsten Nohl on mobile eavesdropping
RockYou sued over data breach
Hacker Gonzalez pleads guilty in Heartland breach
Microsoft rebuts IIS vulnerability claims
More attacks expected on Facebook, Twitter in 2010
GSM crypto code cracked, engineer says
Web-based Lookout protects mobile devices, data
Hackers claim to crack Kindle copyright armor
Related
Using Facebook and Twitter safely
So, is it safe to tweet now?
Does Twitter mean business with 'Contributors' test?
Twitter? Profitable? Really?
McAfee Labs' 2010 threat predictions (podcast)
Twitter hijacked by 'Iranian Cyber Army'
Twitter buys developers of GeoAPI
More attacks expected on Facebook, Twitter in 2010
Add a Comment (Log in or register)
by Alhan_Keser February 14, 2009 8:40 AM PST
"current versions of Internet Explorer do not offer protection"

What a surprise.
Reply to this comment
by bluemudkipz February 20, 2009 11:34 PM PST
I've found NoScript very frustrating because I don't know much about programming. You could go with Block All Scripts, but it renders pretty much everything fun on the Internet useless. Obviously the best way to go is to selectively allow scripts, but I just haven't had the time to sit down, dig out all the scripts that my computer can be exposed to safely, and allow them.
But that's just what I feel after about ten minutes of having the add-on, so if there's a way around doing all that, please enlighten me. I'd really like to use it.
Reply to this comment
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET