FREN

#FF00AA


12 fév. 2009

Explaining the “Don’t Click” Clickjacking Tweetbomb

TinyURL shut down the redirect quickly and Twitter has responded, but the same attack could arise unless measures are taken. Of which, more later.

Well, yeah, they reacted quickly once an English version made the rounds amongst popular US bloggers, but the French version had been running the Twittersphere, unnoticed, for a week.

The hack is an example of clickjacking. (I’ve heard the term a lot, but only understood its meaning after the investigation of this tweetbomb described here.) […]

Firstly, it’s using an iframe to embed Twitter.com on the page. The iframe is essentially invisible, due to the CSS structure […]

We can see from the CSS z-indexes, the iframe is on top of the button. And we can see from the iframe’s opacity that it is completely invisible. Hmmm… so it’s on top, but completely invisible. If there was a button there, you wouldn’t be able to see it, but you would still be able to click on it.

This is very clever — basically relying on transparent iframes (and I agree with Gruber’s point: why should iframes be allowed to be transparent?) and Twitter’s unvarying home page layout to trick you into clicking the “Update” button without knowing it.

And the fix only works if your browser has Javascript enabled; if it doesn’t, you’re still vulnerable, and it would be pretty complicated for Twitter to fix that. (Unless they stop accepting update text to be sent as a URL parameter, but I guess they implemented this so that some scripts or external sites could use the functionality.)

Vous voulez savoir quand je poste du contenu sur mon blog ? Il suffit de vous inscrire gratuitement à un agrégateur RSS (Feedly, NewsBlur, Inoreader, …) et d'ajouter www.ff00aa.com à vos flux (ou www.garoo.net pour vous abonner à tous les sujets). On n'a pas besoin de newsletters, pas besoin de Twitter, le RSS existe toujours.

Mentions légales : ce blog est hébergé par OVH, 2 rue Kellermann, 59100 Roubaix, France, www.ovhcloud.com.

Les données des visiteurs de ce blog ne sont pas utilisées ni transmises à des tiers. Les posteurs de commentaires peuvent demander leur suppression par e-mail.

Tous contenus © de l'auteur ou couverts par le droit de citation.