Thursday, February 12th, 2009

If a button says don’t click, don’t – Twitter being flooded by clickjacking spam.

Category: Security

<p>Twitter is currently running hot with tweets that announce that you shouldn’t click followed by a tinyurl. The page behind the tinyurl has a button that tells people not to click it – which of course they do. When they click the button they send the tweet telling other gullible people not to click the button – which of course those people do.

The whole thing is a wonderful example of clickjacking. The page is constructed to have a button that does exactly nothing. The button however is covered by an IFRAME pointing to your twitter homepage with a prefilled form with the tweet to invite others to be a rebel and click the button that shouldn’t be clicked. The IFRAME has an opacity of 0 and is so positioned that the real button you click on is the update button.

  1. iframe { position:absolute;width:550px;height:228px;top:-170px;left:-400px;z-index: 2;opacity: 0;filter: alpha(opacity=0); }
  2. button { position:absolute;top:10px;left:10px;z-index:1;width: 120px; }

Scott Schiller explains with a screenshot how the trick works:

It is going to be interesting if Twitter will stay up or how this can be stopped. I guess asking tinyurl to cut the lifeline of the two URL used will do it – but there are others already out there – in French and German. *Update:* TinyUrl did suspend the urls now. However, there will be a lot of copycats.

In any case this shows several things:

  • Don’t trust any button
  • Reverse psychology always works (do not send me money on paypal, please!)
  • Staying authenticated in browsers is a bad thing
  • Maybe an Air client is a better solution for using Twitter.

Related Content:

Posted by Chris Heilmann at 1:41 pm
14 Comments

++++-
4.4 rating from 24 votes

14 Comments »

Comments feed TrackBack URI

I don’t like this all Twitter thing thats going on in the past months.
its a stupid boring web site with nothing new in it. boring! people are absolutely hypnotized by it!
craziness.

Comment by vsync — February 12, 2009

@vsync amazing. Totally irrelevant, too.

Comment by Chris Heilmann — February 12, 2009

Reverse psychology is amazing.
Just Simply amazing

Comment by V1 — February 12, 2009

LOL!!! I was about to send you money on paypal to see what you would do… :P

Comment by KevinMartin — February 12, 2009

I put up an explanation here with some screenshots here:

http://softwareas.com/explaining-the-dont-click-clickjacking-tweetbomb

Comment by Michael Mahemoff — February 12, 2009

“It is going to be interesting if Twitter will stay up or how this can be stopped. I guess asking tinyurl to cut the lifeline of the two URL used will do it – but there are others already out there – in French and German. *Update:* TinyUrl did suspend the urls now. However, there will be a lot of copycats.”

Twitter has already updated their code to bust out of the iframe, so no more copycats for this particular vulnerability.

Comment by Michael Mahemoff — February 12, 2009

Yep, twitter sucks.

Comment by cnizz — February 12, 2009

Twitter twitter twitter..all day long!
in a month all the internet will be gone and consumed by
this Twitter cr*p.. is there no dignity left? I’m sick of hearing about
twitter all over the place. its a like a spreading disease.

Comment by vsync — February 12, 2009

Glad for NoScripts clickjacking blockers…

Comment by mdmadph — February 12, 2009

Got to admit… it’s really clever. I would’ve put a goatse image there too… just for fun ;)

Comment by igitur — February 13, 2009

I’m SAFE because I use NOSCRIPT which disables JAVASCRIPT so that the TWITTER site can’t function. Long live AJAX!

Comment by Jordan1 — February 13, 2009

“Maybe an Air client is a better solution for using Twitter.”
.
Maybe an AIR client, or something like it, is better for all web enabled applications. Leave the browsers to do what they do best, delivering relatively static web pages and run all of these applications in a sandboxed environment. Banking, bill paying, twitter/facebook/myspace, etc would all be 1000x better if they would just do that. Then all of these problems would just go away.

Comment by edthered — February 13, 2009

@The World – regarding edthered’s comments…
This is just bs of course, but I guess most of us knew that already…
But I just have to say it anyway…
.
Flex (just like Silverlight) is nothing else then a badly refactored version of ActiveX with fat client software running in browsers pretending to be “the web” while it’s really no more “the web” then a link to an exe file from a website is “the web”…
.
Ajax == Web2.0
.
Flex and Silverlight == ActiveX2.0…
.
But then again, we all knew that ;)

Comment by ThomasHansen — February 14, 2009

Simple solution:
Make an Userscript that changes all opacity that is 0 to a higher value, say 1.

Comment by jerone — February 15, 2009

Leave a comment

You must be logged in to post a comment.