Clickjacking Twitter is no tweet

From the ‘click here, tweet there‘ files:

Can you Clickjack Twitter? Apparently you can.

This week thanks to, Microsoft’s IE 8, a followup story I did about it and a blog post yesterday I had on another clickjacking issue – this is a type of attack that is top of mind for me.  With clickjacking, a user clicks on something that has a hidden element behind it that in turn triggers an unexpected action.

After my post yesterday, I was made aware of some research by James Padolsey clearly showing how a Twitter clickjack can be performed.

Basically what happens is when the user clicks a button an -unintended- message is tweeted. You need to be logged into the web interface for this ‘attack’ to work. If you’re on Firefox, the clickjack is clearly identified by using the NoScript add-on ( click the screen shot below).


This isn’t a flaw in Twitter persay, it’s more of a browser issue. That said if you’re logged into the web interface of Twitter in one tab and doing other things in another tab could cause a little trouble (but just a little). Might also be a good cause for pause for Twitter user to think about using a Twitter client (I’m currently using Twhirl) which would also mitigate the risk since a web click wouldn’t translate over to the client.

There are legitimate reasons why someone would want to click from one page to post to Twitter though (without having to hide it as a clickjack that is). For example if I want you (yes you dear reader) to retweet this page:


Don’t worry in this case if you click the link you still have to click update in the Twitter web interface. Oh and hey if you want to follow me I’m here.

News Around the Web