Twitter fends off second clickjacking attack
Prank being tested on Twitter is harmless, but clickjacking could be used for malicious purposes in the future, security expert says.
Twitter fended off a second clickjacking attack on Thursday night as the popular microblogging site plays cat-and-mouse with a prankster, the site confirmed on Friday.
"Yes, there was a second approach later in the day, same story as the first but with a slightly modified technique," Twitter co-founder Biz Stone wrote in an e-mail. "We took care of that too. Every day we're finding ways to improve the system."
"It's a convoluted cat-and-mouse game," Jeremiah Grossman, chief technology officer of WhiteHat Security, said earlier on Friday. "At least for the moment, Twitter is winning."
Twitter users first noticed the clickjacking prank on Thursday and later that day Twitter had shut it down. Tweets were popping up that said "Don't Click" followed by a link. Clicking the link took the user to a page that included a button that said "Don't Click." Clicking the button automatically distributed the identical tweet. As you can imagine, this spread pretty quickly.
Later on Thursday, the tweets started appearing again after someone figured out a way around Twitter's fix, said Grossman.
Basically, the clickjacking page with the "Don't Click" button on it has an invisible frame with a Twitter status update button superimposed over it, he said. Twitter's original fix wiped a page clean if it detected a frame on its pages, but then someone circumvented that and Twitter was forced to come up with another fix, according to Grossman.
The clickjacking is likely a harmless experiment, but it could be used for malicious purposes in the future, Grossman said.
Firefox users can download a no-script extension to protect against clickjacking but current versions of Internet Explorer do not offer protection, although IE 8 will, he said.