Get Smart about Business Spending
Twitter fends off second clickjacking attack
Twitter fended off a second clickjacking attack on Thursday night as the popular microblogging site plays cat-and-mouse with a prankster, the site confirmed on Friday.
"Yes, there was a second approach later in the day, same story as the first but with a slightly modified technique," Twitter co-founder Biz Stone wrote in an e-mail. "We took care of that too. Every day we're finding ways to improve the system."
(Credit:
CNET Networks)
"It's a convoluted cat-and-mouse game," Jeremiah Grossman, chief technology officer of WhiteHat Security, said earlier on Friday. "At least for the moment, Twitter is winning."
Twitter users first noticed the clickjacking prank on Thursday and later that day Twitter had shut it down. Tweets were popping up that said "Don't Click" followed by a link. Clicking the link took the user to a page that included a button that said "Don't Click." Clicking the button automatically distributed the identical tweet. As you can imagine, this spread pretty quickly.
Later on Thursday, the tweets started appearing again after someone figured out a way around Twitter's fix, said Grossman.
Basically, the clickjacking page with the "Don't Click" button on it has an invisible frame with a Twitter status update button superimposed over it, he said. Twitter's original fix wiped a page clean if it detected a frame on its pages, but then someone circumvented that and Twitter was forced to come up with another fix, according to Grossman.
The clickjacking is likely a harmless experiment, but it could be used for malicious purposes in the future, Grossman said.
Firefox users can download a no-script extension to protect against clickjacking but current versions of Internet Explorer do not offer protection, although IE 8 will, he said.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
What a surprise.
But that's just what I feel after about ten minutes of having the add-on, so if there's a way around doing all that, please enlighten me. I'd really like to use it.