Curiosity Killed The Twit, Twitter Clickjacking

dontclick

Twitter was flooded this morning with users posting “Don’t Click: http://tinyurl.com/amgzs6”. TinyURL has since terminated the URL. The original page doesn’t seem to be live either. It displayed a button that said “Don’t Click”. If the user happened to be logged into Twitter, it would automatically update their status. The instigator partially describes the method on his blog (translated). The page would load the user’s Twitter page in an invisible iframe. The status would be pasted in and the “Don’t Click” button is placed on top of the update button. You can find the code snippets here and the original author credits this post for the inspiration. Twitter has since added a JavaScript fragment to each page to break out of iframes.

if (window.top !== window.self) { window.top.location.href = window.self.location.href; }

24 thoughts on “Curiosity Killed The Twit, Twitter Clickjacking

  1. I am not from Nigeria and have absolutely no connection to any royalty of any country. You have no relation (familiar or friendly) with me or anyone I know. There is no money available for you and I am asking for nothing. Please disregard this email and go about your life as if you never read it.

    What ever you do, do not reply to this email with ANY personal information!

    Yours Truly,
    Some guy in London.

  2. This is a fairly standard hack. It takes advantage of the idea that if you log into twitter, your browser has a session open with access on it. Given that plus twitter’s update methodology accepting an “HTTP GET” to do the update, its pretty easy.

    You can do something like this on virtually any site where you control one page and have users coming to that page that you can assume are also going to be logged in somewhere else and that “somewhere else” accepts a pure “GET” without any way to verify where it comes from.

    His use of an invisible iframe is not the best choice. I did a demo of this for a friend’s site to help him tighten up, and I used a layer (div) which was hidden, and had a zindex value lower than another which was in front of it. I used the url of an update (like twitter’s status update) on his site in an image tag for the background image of that layer, and a valid image in the foreground — so that if the background layer was “broken” it wouldn’t should an error. The browser saw a broken background image below a perfectly good foreground one.

    Its a difficult hack to protect against for a popular site. they have to track your activity or the source of the update link. Requiring a parameter on the update url which is generated on the site based on a salted hash of the user’s login name is one way to do it.

  3. does anyone here use twitter? are there any particularly cool things you can do with it that you can recommend? i get the impression that there is this whole cool twitter thing going on, but i just don’t ‘get’ it…

  4. I use twitter as a mobile assignment notebook that is universally accessible. This only works because I have created my own codex of searchable terms and have a smartphone. I know there should be a better option but this was the easiest fix I know at the moment.

  5. Dan — twitter is like IM, only inside out.

    Where you talk “to” someone with IM, with twitter you just shout out what you’re doing or what’s on your mind, and anyone who’s “Following” you and happens to be online at that moment sees what you’ve said.

    “Hey, I’m thinking or doing THIS, if anyone cares”

    that’s essentially twitter.

  6. “does anyone here use twitter? are there any particularly cool things you can do with it that you can recommend? i get the impression that there is this whole cool twitter thing going on, but i just don’t ‘get’ it…”

    Completely agree. Micro Myspaceis not what’s for breakfast.

  7. I third that. I have an account but I have no clue why anyone gives a flying f*ck about what i may be doing at any one time except a few select people related to that activity, in which case i would contact them by another means.

    Can anyone confirm whether twitter offers any more than “i am doing/thinking this if anyone cares”?

  8. +1 to “I don’t know why would anyone want to twitter”

    The twitter hacks are good from a technical POV, but that’s it. Just like electrets and those things that blink and synchronise with each other

    IMHO, there is not even any use for IM anymore.. It was necessary in the past because regular email was slow and not very good for following conversations, but that’s the past. Now mail is just as good of a solution, no need for “fancy” stuff that only distracts you from the actual work.

    Of course, I am a minimalist, if you can’t tell yet :-P.. Linux with xmonad for me

  9. @Realvision – you’re not getting it. IM is replacing EMAIL for transient conversation, where email will become the tool used primarily for more important transactions that need to stay around.

    Twitter is useful if you’re part of — or are building — a large extended community of interest that requires little specific attention. It can be a bit like being at a trade show. You never know quite who you’ll run into that may be of interest, but there’s a lot of depth around you to be picked up.

  10. To successfully use twitter:

    1) be popular.
    2) be interesting.
    3) tweet.

    I use it with a small group of friends and we generally tweet neat things we found in the day or for information. (eg “Does anyone know where to find good coffee in the skyway?” or “I baked cookies and they are delicious” to “OMG I’m pregnant !!) These can prove later conversations starters for later “Did you ever find coffee in the skyway?” “You’re pregnant! Pop the champagne!”

  11. I installed NoScript, and probably doesn’t break out the iframe. Fixing things with javascript isn’t the way I guess.
    Anyway, security for Web 2.0 sites is crucial. I once made an IMVU userpage XSS script that copied itself upon viewing. They were quick disabling and fixing it though.

  12. As a previous user mentioned, zindex will still allow this type of tomfoolery to persist.
    Example:
    Determine the zindex (usually 0) of the target site image/area, set the zindex of a new image, message, etc.. to higher that the one on the site (1 should be usual to work) and place it on the same space using CSS. The new link/image/etc is on top, visible or not, which could be an exact duplicate of whatever is hiding under it, but re-directing some place else.

    Also, I don’t know if it has been updated, but the method of using a transparent gif (note: not transparent by browser opacity, but transparent by it’s actual ‘color’ scheme) as an overlay was quite popular on social networking site spam a few years a go.

    Originally I was thinking to use the zindex method to jokingly “deface” friends social networking sites by putting up an edit in place of their image which was animated to do other things besides look pretty and static, but once spammers started hitting the sites with it, I thought better to not.

    Anyway… even with simple HTML being used, there will still be people who are so caught up in their desperate, yet quiet, self worth issues and will click on things “just in case” or “out of boredom”… I think early high school was the hardest computer repair time I have seen because those kids DESTROY computers and laugh it off, all with purposeful internet spam clicking.

    Peace!

  13. I use a twitter account for server notifications as part of a basic network monitor that I threw together after many nights of fighting a windows box that refused to stay online.

    I don’t have the original link, but google “PHP twitter curl” and one of the top links should give you a link to the guy that figured out how to do it using a PHP library curl to parse the XML sent to twitter and received from it on posting. (success, failure, etc)

    Twitter does have its uses, it is a quick way to get txt messages to many people quickly at one time without having to kill youself trying to mass-forward or retyping the txt.

  14. lol, I learned that lesson the hard way. On time there was a button in someone’s sig that said “Don’t Click” and I clicked it. It took me to a gay porn site that had my speakers blaring “I’m looking at gay porn”.

    Now I’m a lot more cautious when it comes to hyperlinks.

Leave a Reply to roshamboeCancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.