I am not from Nigeria and have absolutely no connection to any royalty of any country. You have no relation (familiar or friendly) with me or anyone I know. There is no money available for you and I am asking for nothing. Please disregard this email and go about your life as if you never read it.

What ever you do, do not reply to this email with ANY personal information!

Yours Truly,
Some guy in London.

Posted at 12:32 pm on Feb 12th, 2009 by supernova_hq

Is the first comment SPAM? I can’t tell. It kinda relates, but not really. I think it’s SPAM.

About the post:
Wow, that’s pretty funny! Curiosity killed the cat.

Posted at 1:32 pm on Feb 12th, 2009 by cyrozap

are you both joking? :p

Posted at 1:43 pm on Feb 12th, 2009 by jimitz

Unfortunate but good example of the up and coming web 2.0 attacks.

Posted at 2:30 pm on Feb 12th, 2009 by MD

This is a fairly standard hack. It takes advantage of the idea that if you log into twitter, your browser has a session open with access on it. Given that plus twitter’s update methodology accepting an “HTTP GET” to do the update, its pretty easy.

You can do something like this on virtually any site where you control one page and have users coming to that page that you can assume are also going to be logged in somewhere else and that “somewhere else” accepts a pure “GET” without any way to verify where it comes from.

His use of an invisible iframe is not the best choice. I did a demo of this for a friend’s site to help him tighten up, and I used a layer (div) which was hidden, and had a zindex value lower than another which was in front of it. I used the url of an update (like twitter’s status update) on his site in an image tag for the background image of that layer, and a valid image in the foreground — so that if the background layer was “broken” it wouldn’t should an error. The browser saw a broken background image below a perfectly good foreground one.

Its a difficult hack to protect against for a popular site. they have to track your activity or the source of the update link. Requiring a parameter on the update url which is generated on the site based on a salted hash of the user’s login name is one way to do it.

Posted at 2:36 pm on Feb 12th, 2009 by Andrew Pollack

Wow, there are dumb twitter users, who knew?

Posted at 2:37 pm on Feb 12th, 2009 by VonSkippy

does anyone here use twitter? are there any particularly cool things you can do with it that you can recommend? i get the impression that there is this whole cool twitter thing going on, but i just don’t ‘get’ it…

Posted at 2:52 pm on Feb 12th, 2009 by dan

I lol’d at supernova_hq and the people who click things like that.

Posted at 3:13 pm on Feb 12th, 2009 by Roboguy

I use twitter as a mobile assignment notebook that is universally accessible. This only works because I have created my own codex of searchable terms and have a smartphone. I know there should be a better option but this was the easiest fix I know at the moment.

Posted at 5:36 pm on Feb 12th, 2009 by youngdemosthenes

Dan — twitter is like IM, only inside out.

Where you talk “to” someone with IM, with twitter you just shout out what you’re doing or what’s on your mind, and anyone who’s “Following” you and happens to be online at that moment sees what you’ve said.

“Hey, I’m thinking or doing THIS, if anyone cares”

that’s essentially twitter.

Posted at 5:40 pm on Feb 12th, 2009 by Andrew Pollack

and that is how our entertainment has come to be, posting something and hoping someone will be bored enough to comment about it

Posted at 6:38 pm on Feb 12th, 2009 by roshamboe

Just another reason to hate iFrames

Posted at 10:09 pm on Feb 12th, 2009 by Patrick

“does anyone here use twitter? are there any particularly cool things you can do with it that you can recommend? i get the impression that there is this whole cool twitter thing going on, but i just don’t ‘get’ it…”

Completely agree. Micro Myspaceis not what’s for breakfast.

Posted at 1:25 am on Feb 13th, 2009 by M4CGYV3R

I third that. I have an account but I have no clue why anyone gives a flying f*ck about what i may be doing at any one time except a few select people related to that activity, in which case i would contact them by another means.

Can anyone confirm whether twitter offers any more than “i am doing/thinking this if anyone cares”?

Posted at 1:33 am on Feb 13th, 2009 by mig

+1 to “I don’t know why would anyone want to twitter”

The twitter hacks are good from a technical POV, but that’s it. Just like electrets and those things that blink and synchronise with each other

IMHO, there is not even any use for IM anymore.. It was necessary in the past because regular email was slow and not very good for following conversations, but that’s the past. Now mail is just as good of a solution, no need for “fancy” stuff that only distracts you from the actual work.

Of course, I am a minimalist, if you can’t tell yet :-P.. Linux with xmonad for me

Posted at 2:43 am on Feb 13th, 2009 by RealVision

Hello Eliot,

For your information, Facebook also is striked by this click jacking method :

http://www.allofmanga.net/ok.php?page=facebook

clic anywhere on the page (multiple times if it didn’t work) and then go to this group…http://www.facebook.com/group.php?gid=48226044199

You were automatically added… ;-)

Best Regards,

Korben

Posted at 3:08 am on Feb 13th, 2009 by Korben

@dan

Twitter is for attention whores.
That’s all you need to know.

Posted at 5:25 am on Feb 13th, 2009 by andBeans

@Realvision – you’re not getting it. IM is replacing EMAIL for transient conversation, where email will become the tool used primarily for more important transactions that need to stay around.

Twitter is useful if you’re part of — or are building — a large extended community of interest that requires little specific attention. It can be a bit like being at a trade show. You never know quite who you’ll run into that may be of interest, but there’s a lot of depth around you to be picked up.

Posted at 6:43 am on Feb 13th, 2009 by Andrew Pollack

To successfully use twitter:

1) be popular.
2) be interesting.
3) tweet.

I use it with a small group of friends and we generally tweet neat things we found in the day or for information. (eg “Does anyone know where to find good coffee in the skyway?” or “I baked cookies and they are delicious” to “OMG I’m pregnant !!) These can prove later conversations starters for later “Did you ever find coffee in the skyway?” “You’re pregnant! Pop the champagne!”

Posted at 9:32 am on Feb 13th, 2009 by Robyn

I installed NoScript, and probably doesn’t break out the iframe. Fixing things with javascript isn’t the way I guess.
Anyway, security for Web 2.0 sites is crucial. I once made an IMVU userpage XSS script that copied itself upon viewing. They were quick disabling and fixing it though.

Posted at 11:00 am on Feb 13th, 2009 by DarkFader

I hope more people continue to do this as much as possible until that horrid pile of bullshit doesn’t exist and I can stop hearing about it.

Posted at 12:46 pm on Feb 13th, 2009 by tweet_in_hell_fags

As a previous user mentioned, zindex will still allow this type of tomfoolery to persist.
Example:
Determine the zindex (usually 0) of the target site image/area, set the zindex of a new image, message, etc.. to higher that the one on the site (1 should be usual to work) and place it on the same space using CSS. The new link/image/etc is on top, visible or not, which could be an exact duplicate of whatever is hiding under it, but re-directing some place else.

Also, I don’t know if it has been updated, but the method of using a transparent gif (note: not transparent by browser opacity, but transparent by it’s actual ‘color’ scheme) as an overlay was quite popular on social networking site spam a few years a go.

Originally I was thinking to use the zindex method to jokingly “deface” friends social networking sites by putting up an edit in place of their image which was animated to do other things besides look pretty and static, but once spammers started hitting the sites with it, I thought better to not.

Anyway… even with simple HTML being used, there will still be people who are so caught up in their desperate, yet quiet, self worth issues and will click on things “just in case” or “out of boredom”… I think early high school was the hardest computer repair time I have seen because those kids DESTROY computers and laugh it off, all with purposeful internet spam clicking.

Peace!

Posted at 1:11 pm on Feb 13th, 2009 by louis ii

I use a twitter account for server notifications as part of a basic network monitor that I threw together after many nights of fighting a windows box that refused to stay online.

I don’t have the original link, but google “PHP twitter curl” and one of the top links should give you a link to the guy that figured out how to do it using a PHP library curl to parse the XML sent to twitter and received from it on posting. (success, failure, etc)

Twitter does have its uses, it is a quick way to get txt messages to many people quickly at one time without having to kill youself trying to mass-forward or retyping the txt.

Posted at 3:00 pm on Feb 15th, 2009 by FIRESTORM_v1

lol, I learned that lesson the hard way. On time there was a button in someone’s sig that said “Don’t Click” and I clicked it. It took me to a gay porn site that had my speakers blaring “I’m looking at gay porn”.

Now I’m a lot more cautious when it comes to hyperlinks.

Posted at 10:46 am on Mar 8th, 2009 by zzaz3