Twitter blocks Clickjacking attack with frame buster
Over the span of 90 minutes today I got a whole bunch of tweets from people I follow with the message "Don't Click." Apparently it was a clickjacking attack. Clickjacking is something that involves getting the user to click on an element that then triggers a second or hidden element or action. I've written on this topic before, which affect sall browsers even though Microsoft has a 'fix'.
According to a Twitter blog post on the subject "
"..the harm was restricted to constant reposting of the link, but we take
malicious attacks on Twitter users very seriously and this morning we
submitted an update which blocks this clickjacking technique."
Twitter does not provide details on what the fix is (yet at least), but it's pretty easy to see what they've done. It's a frame busting script of some sort.
Congrats Twitter on taking action on this - a little later than you could have - but hey it's the right move.