new icn messageflickr-free-ic3d pan white
That "Don't Click" Twitter virus thing | by Schill
Back to photostream

That "Don't Click" Twitter virus thing

"Twitterjacking" in the wild, an example of "clickjacking."


Effectively, the trick is you are clicking "update" on twitter and updating your status, when it looks like you are pushing a button on a totally unrelated web site.


What's happening here is a hidden iFrame is positioned on top of a button that says "don't click", on a regular web site.


The iFrame is pointing to't Click [bad URL] - so that loads your Twitter homepage, assuming you're logged in, with the form pre-filled for your status update. Only thing you need to do now is click "update", and you will have re-tweeted the "virus."


The iFrame achieves this by positioning itself such that the "update" button overlays the button you are actually seeing in the page - however, it's invisible normally because the iframe's opacity is 0. I've edited it with Firebug to be 0.5, so you see the hidden iFrame which actually receives the click.


Sneaky, eh?


One way to help prevent this is to use frame-busting javascript, and/or don't allow form fields to be prepopulated via GET parameters (I'm uncertain if the latter is preventable, as it may be a browser behaviour.)

7 faves
Taken on February 12, 2009