Twitter Hack Proof of Concept Released

Blog Experiences

They say twitter is one of the wonderful innovations in the web recently (or at least in the blogging world). And so I tried it out. I registered an account over the weekend. I posted my first twit update. I followed some bloggers. No one’s following me yet 🙂 . I installed twitterfox plugin. Set the privacy into high (Protect my updates). And then came upon this interesting news today:

A twitter proof of concept (POC) hack has been developed. The POC can change the twitter status of the user (what are you doing? feature) without the user knowing it. Following the developers blog, he introduced the readers (me included) the concept of clickjacking (hijacking the clicks of the user with malicious intent, this is the first time I’ve heard of this). Quoting the developers blog:

‘Clickjacking’, if you haven’t heard of it, is a method used by malicious individuals to trick users like you into clicking something without you knowing what you’ve clicked. It’s also known as UI-redressing and only works in browsers that support frames/CSS.

The idea is simple: An iframe is positioned above what looks like a clickable button on a website. This iframe is invisible to the user (opacity:0) and so the user unknowingly clicks on the iframe which may contain anything! This can be achieved through CSS alone, no JavaScript is required

Ouch! This one is familiar. Iframes with zero height zero width 🙁 . Can be used by bad guys to create malicious activities.

There seems to be no complete solution for this yet, but installing the NoScript firefox plugin will help Firefox users.

If you want to know more details, you can read the developers blog. The site has the POC link hosted there (WARNING: Twitter Kids: Try at your own risk, don’t blame me for any untoward events ok?). Clicking the button will add a new twit status “Yes, I did click the button!!! (WHAT!!??)

Or you can visit DarkReading Twitter article.

So will I gonna be forgetting about Twitter? No! I think not, but I will be keeping the protect my updates feature ON for now.