The emergence of Twitter as a major microblogging tool with the feel of a social networking site also means it becomes a worthy cybercriminal target. Recent pranks, annoying at worst but not essentially harmful to accounts or systems, continue the series of attacks on the site. We blogged about Twitter threats before:
In this recent prank, Twitter entries show up containing links preceded by the warning Don’t Click, thus tricking curious users into actually clicking the link, curiosity being the weakest link in online security.
Clicking on that link creates an exact copy of the entry, but on the clicker’s profile this time. Twitter engineers were able to promptly fix the first prank, but a second and similar attack followed shortly, with slight variations to bypass fixes. As of this writing, Twitter has successfully fixed the problem.
This type of threat is called clickjacking, or the theft of mouse cursor clicks from users. We previously blogged about the implications of this relatively new malicious technique. The Twitter pranks tell us now that clickjacking is no longer just a theoretical threat. It is real, and while in this case it was used in what could be a harmless experiment, it’s only a matter of time before it is used with more malicious intent.
Configuring Web browsers to disable scripts is a recommended precaution. Firefox, notably, has a NoScript plugin that could be installed to defend agains clickjacking attacks.