Over the span of 90 minutes today I got a whole bunch of tweets from people I follow with the message “Don’t Click.” Apparently it was a clickjacking attack. Clickjacking is something that involves getting the user to click on an element that then triggers a second or hidden element or action. I’ve written on this topic before, which affect sall browsers even though Microsoft has a ‘fix’.
According to a Twitter blog post on the subject “
“..the harm was restricted to constant reposting of the link, but we take
malicious attacks on Twitter users very seriously and this morning we
submitted an update which blocks this clickjacking technique.”
Twitter does not provide details on what the fix is (yet at least), but it’s pretty easy to see what they’ve done. It’s a frame busting script of some sort.
Back on January 30th I wrote about clickjacking twitter and it looks like that particular exploit vector has now been mitigated with the frame buster. With a frame buster the twitter log in element itself cannot be ‘broken out’ of twitter such that it can be hidden on a different site in a hidden frame.
Congrats Twitter on taking action on this – a little later than you could have – but hey it’s the right move.