Don't Click! No Really! Don't Even Think About it!
Twitter is falling prey to a major security flaw right now. The service is getting swamped with messages that say: "Don't Click" and a URL. Apparently, this hack has been around for over two weeks, but it only really took off today. If you actually click on the link while you are logged into Twitter, another "Don't Click" message will be posted to your Twitter account, which then propagates the cycle.
Of course, this is also very smart social engineering. Who, after all, can resist clicking on a link that says "Don't Click."
No matter how annoying, though, it doesn't look like this hack does anything more nefarious than post this message to your account. We will keep this post updated as we get more information.
Update I: Evan Williams just announced that Twitter is working on a fix right now and the messages have now finally stopped.
Update II: As one our commenters points out below, this might also be a far simpler hack, where the hacker simply overlays on iFrame over the Twitter status update. While you think you are clicking on a link on another site, you are, in reality, clicking on the 'Update' button on Twitter. Looking at the screen shot above, that does indeed seem to be the case. Here is a good description of how this works in detail.
Note: This was our first theory of how this hack worked - turns out, it was way simpler than this: According to Jeff Attwood, this hack could also be making use of a known security flaw called a cross-site request forgery. We are no security experts, but our understanding is that this hack spoofs a request from your browser to Twitter. This only works, as far as we can see, when a service like Twitter allows a user to perform a sensitive action without checking if the user has actually invoked this action (like posting to Twitter) him/herself. If you visit a malicious web site that is vulnerable to this hack, then the attacker can force your browser to send out a request to perform an action on your behalf without you ever knowing about it.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
its an hidden iframe and you click the submit button of your twitter status when clicking on the normal button
here you go for the sourcecode: http://pastie.org/387315
best wishes from vienna
http://twitter.com/andreasklinger
I looked at the code and it's really just a simple iframe button submit. Nothing more than that, so no need to change your password or anything.
You are immune to this exploit if using Google Chrome. Yet another reason to use the fastest (safest?) browser for the PC.
(I do miss a few FF plugins, though, and still can't live without FF/Firebug for development)
It's a click-jacking attack; a transparent iframe over the "Don't click" button. So when you click, you actually click "update" on the twitter page in the hidden iframe posting a new status.
You can learn more about the type of attack from the Security Now Episode on Clickjacking (http://twit.tv/sn168)
Love Jeff Attwood but I don't know where he got his ideas about this. If you look at the source it's just an iframe of your twitter homepage with the "Don't Click" status. If I had to guess without digging any further, they're overlaying the Twitter update status button in the iframe directly over the "Don't Click" button on the page. Giving the illusion you're clicking a button on their page, but you're clicking Twitter's own "Update Status" button.
On a side note- it looks like if you go to the link now, the page is redirected completely to the source of the iframe. Is this Twitter's fix?
@nic - thanks - that actually makes a lot of sense - going to update the post with that info!
1. The fix is now up on Twittter, as Nic observed. They have some JavaScript in there to spot when they're being loaded in an IFRAME, and if so, to redirect the top-level frame to twitter.com instead.
2. The technique used isn't XSRF; it's clickjacking, in which a fully transparent IFRAME containing the button you *want* the user to click (in this case, Twitter's Update button) is floated on top of the button the user thinks he's clicking ("Don't Click").
More info:
http://en.wikipedia.org/wiki/Clickjacking (general clickjacking explanation)
http://dsandler.org/outgoing/dontclick.html (details of how Don't Click works)
It's not a security issue, it's not a cross-site request forgery, it's nothing more than a simple trick played with an iframe. The only fix that twitter is now doing is to not let the Twitter site load in a frame.
Jeff Atwood is incorrect, and you should check things out for yourself before reposting, and there is absolutely no reason to change your Twitter password.
Here is the true cause:
http://james.padolsey.com/general/clickjacking-twitter/
Use the no-script plugin with firefox, problem solved. Firefox >>>>>>>>>>> Chrome.
Yes, I believe that is Twitter's fix. Pretty funny to see it spread like wildfire though.
If you see a suspicious TinyURL you can type "preview" as a sub-domain, such as "preview.TinyURL.com/scambaitlol"
Also, it is in my opinion that this little click jacking is not a security risk as they were using an iframe and had no access to your password or usernames.
Here's our write-up of the technical side of things and how it all works at Sunlight Labs:
http://sunlightlabs.com/blog/2009/02/12/what-dont-click-business/
This is not CSRF; it's clickjacking. More info, including a demo that shows what's happening, is available here for anyone interested:
http://shiflett.org/blog/2009/feb/twitter-dont-click-exploit
I was so close to clicking.
It not submit anything, when the page load automatically change your twitter status if twitter is active in your browser with the "remember me". The button have no action.
Thus for the next email marketing campaign put "Don't click" before the link to the landing page on your website.
This will increase your visits generated by the email campaign.
I've figured out who carried out the attack, and where it came from -- detailed in a post on my blog here: http://www.fscked.co.uk/index.php/2009/02/where-did-the-twitter-dont-click-attack-come-from/
i glopped to the site via a Heritage and BNET one. Any linkage? I did not clic on a don't Klick But on a single users small section for a LauraC. Are we done yet?
Yes, I believe that is Twitter's fix. Pretty funny to see it spread like wildfire though.
Twitter is breaking down the wall of separation between celebrities and their fans, i.e. the people that give them a
living. Twitter, the social networking site, and cyberspace phenomenon, has been utilized by personalities such as Ashton
Kutcher and wife Demi Moore, the director Kevin Smith, singer Lily Allen, and LaVar Burton, the actor known for his role
on Star Trek as Geordie the engineer, as well as host of the Reading Rainbow and his role in Alex Haley's Roots. Users
post updates, whatever they want to say, questions and answers, in 140 word clips called Tweets. Membership is free, so
you don't have to get installment loans to get onto
Wall”" href="http://personalmoneystore.com/moneyblog/2009/04/27/installment-loans-twitter-break-fourth-wall-part-
1/">Twitter
.-kacak mırc
Yes, I believe that is Twitter's fix. Pretty funny to see it spread like wildfire though..