Curiosity killed the twit, Twitter clickjacking
posted Feb 12th 2009 12:08pm by Eliotfiled under: news, security hacks
Twitter was flooded this morning with users posting “Don’t Click: http://tinyurl.com/amgzs6″. TinyURL has since terminated the URL. The original page doesn’t seem to be live either. It displayed a button that said “Don’t Click”. If the user happened to be logged into Twitter, it would automatically update their status. The instigator partially describes the method on his blog (translated). The page would load the user’s Twitter page in an invisible iframe. The status would be pasted in and the “Don’t Click” button is placed on top of the update button. You can find the code snippets here and the original author credits this post for the inspiration. Twitter has since added a JavaScript fragment to each page to break out of iframes.
if (window.top !== window.self) { window.top.location.href = window.self.location.href; }
