Wednesday, February 18, 2009 7:52 AM
cmosby
Clickjackers Tweet – TrendLabs Malware Blog
Twitter as Facebook are now considered as emerging social networking sites. No wonder that they became a worthy cybercriminal target. The recent pranks, annoying at worst but not essentially harmful to accounts or systems, continue the series of attacks on the micro-blogging and social networking site.
Twitter entries contain links preceded by the warning Don’t Click thus tricking curious users into actually clicking the link, curiosity being the weakest link in online security.
Clicking on that link creates an exact copy of the entry, but on the clicker’s profile this time. Twitter engineers were able to promptly fix the first prank, but a second and similar attack followed shortly, with slight variations to bypass fixes. As of this writing, Twitter has successfully fixed the problem.
This type of threat is called clickjacking, or the theft of mouse cursor clicks from users. We previously blogged about the implications of this relatively new malicious technique, which brings us to point number two: clickjacking is no longer just a theoretical threat. It is real, and while in this case it was used in what could be a harmless experiment, it’s only a matter of time before it is used with more malicious intent.
Configuring Web browsers to disable scripts is a recommended precaution. Firefox, notably, has a NoScript plugin that could be installed to defend agains clickjacking attacks.
TheRegister report about Twitter incident can be read here.