tag:,2009:/1/tag:www.readwriteweb.com,2009://1.13808- 2009-11-23T17:31:00Z Comments for Don't Click! No Really! Don't Even Think About it! Movable Type 4.23-en tag:www.readwriteweb.com,2009://1.13808 2009-02-12T18:10:05Z 2009-02-12T21:09:39Z Don't Click! No Really! Don't Even Think About it! Twitter is falling prey to a major security flaw right now. The service is getting swamped with messages that say: "Don't Click" and a URL. Apparently, this hack has been around for over two weeks, but it only really took off today. If you actually click on the link while you are logged into Twitter,... Frederic Lardinois twitter_logo_Jan_09.pngTwitter is falling prey to a major security flaw right now. The service is getting swamped with messages that say: "Don't Click" and a URL. Apparently, this hack has been around for over two weeks, but it only really took off today. If you actually click on the link while you are logged into Twitter, another "Don't Click" message will be posted to your Twitter account, which then propagates the cycle.

]]> twit_hack.png

Of course, this is also very smart social engineering. Who, after all, can resist clicking on a link that says "Don't Click."

No matter how annoying, though, it doesn't look like this hack does anything more nefarious than post this message to your account. We will keep this post updated as we get more information.

Update I: Evan Williams just announced that Twitter is working on a fix right now and the messages have now finally stopped.

Update II: As one our commenters points out below, this might also be a far simpler hack, where the hacker simply overlays on iFrame over the Twitter status update. While you think you are clicking on a link on another site, you are, in reality, clicking on the 'Update' button on Twitter. Looking at the screen shot above, that does indeed seem to be the case. Here is a good description of how this works in detail.

Note: This was our first theory of how this hack worked - turns out, it was way simpler than this: According to Jeff Attwood, this hack could also be making use of a known security flaw called a cross-site request forgery. We are no security experts, but our understanding is that this hack spoofs a request from your browser to Twitter. This only works, as far as we can see, when a service like Twitter allows a user to perform a sensitive action without checking if the user has actually invoked this action (like posting to Twitter) him/herself. If you visit a malicious web site that is vulnerable to this hack, then the attacker can force your browser to send out a request to perform an action on your behalf without you ever knowing about it.

]]> tag:www.readwriteweb.com,2009://1.13808-comment:126389 Comment from Andreas Klinger on 2009-02-12 Andreas Klinger http://die.socialisten.at its an hidden iframe and you click the submit button of your twitter status when clicking on the normal button

here you go for the sourcecode: http://pastie.org/387315

best wishes from vienna
http://twitter.com/andreasklinger

]]> 2009-02-12T18:24:52Z tag:www.readwriteweb.com,2009://1.13808-comment:126390 Comment from Scott on 2009-02-12 Scott http://friendfeed.com/hawkee I looked at the code and it's really just a simple iframe button submit. Nothing more than that, so no need to change your password or anything.

]]> 2009-02-12T18:26:08Z tag:www.readwriteweb.com,2009://1.13808-comment:126392 Comment from Sean O on 2009-02-12 Sean O http://twitter.com/seanodotcom You are immune to this exploit if using Google Chrome. Yet another reason to use the fastest (safest?) browser for the PC.

(I do miss a few FF plugins, though, and still can't live without FF/Firebug for development)

]]> 2009-02-12T18:37:48Z tag:www.readwriteweb.com,2009://1.13808-comment:126394 Comment from John on 2009-02-12 John http://www.justjohn.us/ It's a click-jacking attack; a transparent iframe over the "Don't click" button. So when you click, you actually click "update" on the twitter page in the hidden iframe posting a new status.

You can learn more about the type of attack from the Security Now Episode on Clickjacking (http://twit.tv/sn168)

]]> 2009-02-12T18:39:20Z tag:www.readwriteweb.com,2009://1.13808-comment:126395 Comment from Nic on 2009-02-12 Nic http://twitter.com/nicluciano Love Jeff Attwood but I don't know where he got his ideas about this. If you look at the source it's just an iframe of your twitter homepage with the "Don't Click" status. If I had to guess without digging any further, they're overlaying the Twitter update status button in the iframe directly over the "Don't Click" button on the page. Giving the illusion you're clicking a button on their page, but you're clicking Twitter's own "Update Status" button.

]]> 2009-02-12T18:41:56Z tag:www.readwriteweb.com,2009://1.13808-comment:126397 Comment from Nic on 2009-02-12 Nic http://twitter.com/nicluciano On a side note- it looks like if you go to the link now, the page is redirected completely to the source of the iframe. Is this Twitter's fix?

]]> 2009-02-12T18:44:07Z tag:www.readwriteweb.com,2009://1.13808-comment:126399 Comment from Frederic Lardinois on 2009-02-12 Frederic Lardinois @nic - thanks - that actually makes a lot of sense - going to update the post with that info!

]]> 2009-02-12T18:45:57Z tag:www.readwriteweb.com,2009://1.13808-comment:126400 Comment from Daniel Sandler on 2009-02-12 Daniel Sandler http://dsandler.org/ 1. The fix is now up on Twittter, as Nic observed. They have some JavaScript in there to spot when they're being loaded in an IFRAME, and if so, to redirect the top-level frame to twitter.com instead.

2. The technique used isn't XSRF; it's clickjacking, in which a fully transparent IFRAME containing the button you *want* the user to click (in this case, Twitter's Update button) is floated on top of the button the user thinks he's clicking ("Don't Click").

More info:
http://en.wikipedia.org/wiki/Clickjacking (general clickjacking explanation)
http://dsandler.org/outgoing/dontclick.html (details of how Don't Click works)

]]> 2009-02-12T18:50:46Z tag:www.readwriteweb.com,2009://1.13808-comment:126401 Comment from Jeff L on 2009-02-12 Jeff L http://www.bogglethemind.com/ It's not a security issue, it's not a cross-site request forgery, it's nothing more than a simple trick played with an iframe. The only fix that twitter is now doing is to not let the Twitter site load in a frame.

Jeff Atwood is incorrect, and you should check things out for yourself before reposting, and there is absolutely no reason to change your Twitter password.

Here is the true cause:
http://james.padolsey.com/general/clickjacking-twitter/

]]> 2009-02-12T18:50:51Z tag:www.readwriteweb.com,2009://1.13808-comment:126402 Comment from ayasin on 2009-02-12 ayasin Use the no-script plugin with firefox, problem solved. Firefox >>>>>>>>>>> Chrome.

]]> 2009-02-12T18:53:06Z tag:www.readwriteweb.com,2009://1.13808-comment:126403 Comment from Twitter Forum on 2009-02-12 Twitter Forum http://www.tweetsocial.com Yes, I believe that is Twitter's fix. Pretty funny to see it spread like wildfire though.

If you see a suspicious TinyURL you can type "preview" as a sub-domain, such as "preview.TinyURL.com/scambaitlol"

Also, it is in my opinion that this little click jacking is not a security risk as they were using an iframe and had no access to your password or usernames.

]]> 2009-02-12T18:54:14Z tag:www.readwriteweb.com,2009://1.13808-comment:126404 Comment from Clay Johnson on 2009-02-12 Clay Johnson http://sunlightlabs.com Here's our write-up of the technical side of things and how it all works at Sunlight Labs:

http://sunlightlabs.com/blog/2009/02/12/what-dont-click-business/

]]> 2009-02-12T18:55:01Z tag:www.readwriteweb.com,2009://1.13808-comment:126408 Comment from Chris Shiflett on 2009-02-12 Chris Shiflett http://shiflett.org/ This is not CSRF; it's clickjacking. More info, including a demo that shows what's happening, is available here for anyone interested:

http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit

]]> 2009-02-12T19:17:21Z tag:www.readwriteweb.com,2009://1.13808-comment:126439 Comment from evl on 2009-02-12 evl http://fromtheold.com I was so close to clicking.

]]> 2009-02-12T23:21:29Z tag:www.readwriteweb.com,2009://1.13808-comment:126459 Comment from baker on 2009-02-12 baker It not submit anything, when the page load automatically change your twitter status if twitter is active in your browser with the "remember me". The button have no action.

]]> 2009-02-13T01:57:39Z tag:www.readwriteweb.com,2009://1.13808-comment:126487 Comment from Engago Team on 2009-02-13 Engago Team http://www.LEADSExplorer.com Thus for the next email marketing campaign put "Don't click" before the link to the landing page on your website.
This will increase your visits generated by the email campaign.

]]> 2009-02-13T09:27:34Z tag:www.readwriteweb.com,2009://1.13808-comment:126489 Comment from Richard Gaywood on 2009-02-13 Richard Gaywood http://www.fscked.co.uk I've figured out who carried out the attack, and where it came from -- detailed in a post on my blog here: http://www.fscked.co.uk/index.php/2009/02/where-did-the-twitter-dont-click-attack-come-from/

]]> 2009-02-13T10:25:36Z tag:www.readwriteweb.com,2009://1.13808-comment:126657 Comment from l on 2009-02-13 l i glopped to the site via a Heritage and BNET one. Any linkage? I did not clic on a don't Klick But on a single users small section for a LauraC. Are we done yet?

]]> 2009-02-14T04:19:47Z tag:www.readwriteweb.com,2009://1.13808-comment:129108 Comment from söve on 2009-03-07 söve http://www.sove.name Yes, I believe that is Twitter's fix. Pretty funny to see it spread like wildfire though.

]]> 2009-03-07T08:32:13Z tag:www.readwriteweb.com,2009://1.13808-comment:136421 Comment from Breana O on 2009-05-03 Breana O Twitter is breaking down the wall of separation between celebrities and their fans, i.e. the people that give them a

living. Twitter, the social networking site, and cyberspace phenomenon, has been utilized by personalities such as Ashton

Kutcher and wife Demi Moore, the director Kevin Smith, singer Lily Allen, and LaVar Burton, the actor known for his role

on Star Trek as Geordie the engineer, as well as host of the Reading Rainbow and his role in Alex Haley's Roots. Users

post updates, whatever they want to say, questions and answers, in 140 word clips called Tweets. Membership is free, so

you don't have to get installment loans to get onto

Wall”" href="http://personalmoneystore.com/moneyblog/2009/04/27/installment-loans-twitter-break-fourth-wall-part-

1/">Twitter

.

]]> 2009-05-04T03:20:17Z tag:www.readwriteweb.com,2009://1.13808-comment:144763 Comment from kaçak mirc on 2009-06-30 kaçak mirc http://www.mirc81.net/kacak-mirc.htm -kacak mırc

]]> 2009-06-30T22:19:53Z tag:www.readwriteweb.com,2009://1.13808-comment:163011 Comment from Chat odaları on 2009-10-15 Chat odaları http://www.trchatodalari.com Yes, I believe that is Twitter's fix. Pretty funny to see it spread like wildfire though..

]]> 2009-10-15T20:13:01Z