Clickjacking awareness

How did the recent “Don’t Click” clickjacking attack on Twitter come about? Pretty innocuously, according to this report… a funny hack went viral, and refused to be defused. (I haven’t confirmed the author’s account, but it seems plausible, and is interesting in its own right.)

“Clickjacking” is when third-party content tricks a webpage visitor into making an undesired click. Complete remedies are difficult, because DHTML added JavaScript page-rewrites, and Web2.0 added unvetted third-party content. Browser makers are now struggling to find ways to guarantee that What You See Is What You Click.

A novel aspect of the Twitter-jacking is that the third-party content was introduced via URL-shortening services. Fixes have been attempted, and rebuffed. Check out the explosive growth in this chart.

This “Don’t Click” isn’t a serious exploit in itself, but it’s a serious step along an existing vulnerability. Stay tuned.