So the interesting news today is that a Twitter worm named "Don't click" started spreading. It had no harmful payload, it merely tweeted a link to itself. However, Using search.twitter.com, at peak there were multiple new hits per second for "Don't click" as it began to spread wider and wider. It was a simple exploit. A page with a button stating Don't Click, and iframe calling in Twitter.com with the command to post a tweet. It appeared, at first look, to be a classic example of Cross Site Request Forgery, or CSRF.
Thanks to
Sean Coates' keen eyes, it was discovered that the page's CSS was being used to invisibly place the Twitter.com iframe over the "Don't Click" button, such that you would actually be clicking the Twitter submit button. This was necessary as Twitter uses auth tokens to prevent CSRF attacks . A request sent in without a valid auth token would not be submitted, instead the Twitter submit form is pre-filled with the data. Because the iframe was made invisible via CSS, a visitor would not see that they were actually submitting a pre-filled out twitter page. You can read more about the workings of this on
Chris Shiflett's blog post.
While this was clearly an exploit of twitter, and a creative one at that, I have to wonder if it was a true attack. The author disabled the page when it began to get out of control, and they seem to be following Twitter's progress at blocking it. If I had to guess, I'm betting someone was reading about Clickjacking and decided to try it out on Twitter. "Look what I can do!" They might have started off by showing it to a few friends, and then pretty soon it spread all over Twitter. While it may seem like an embarrassment for Twitter, in truth they should be thankful the vulnerability was discovered by a relatively harmless worm, rather than a malicious attack.
Long term, I think this will have been a good thing for the web, as it serves as a very loud wakeup call to take Clickjacking seriously. Because of the way this was done via CSS, even users with javascript disabled are vulnerable. In fact, twitter's quick fix of breaking out of frames will not work if a user has javascript disabled. In this rare case, noscript could actually make you less safe.
Now, while Twitter has made a quick fix, there are already ways to defeat it in IE and FireFox. (See:
Chris Shiflett's example using the frame-buster-busting JS I found). So how can Twitter fix this vulnerability? The quickest way would be to stop pre-populating the form with data when there is no valid auth token. This would stop all simple clickjacking attacks. More complicated attacks might be possible by tricking the user into typing into a disguised twitter form and clicking submit, or performing whatever form actions were necessary to submit the form.
My quick idea to guard against complicated clickjacking attacks: Have your form have a drop down select field like this:
This would force the clickjacker to display the dropdown, and hopefully cue the user into the fact they are being clickjacked. In general, the idea is to provide an easily recognizable site specific form field similar to a CAPTCHA that the user will recognize if another site tries to trick them into using. I'm sure a more polished method can be developed.
