Twitter Clickjacking Attack Causes Post-Awards Annoyance

twitter click-jacking is putting a damper on the Shortie Awards

Twitter Nation, stand down: The clickjacking attack plaguing Twitter this Thursday has now been fixed.

Less than 24 hours after the first official awards show honoring Twitter users (and to any skeptical non-Twitter types, I am not making this up -- it was called the Shorty Awards and MC Hammer was there), someone started a social virus of sorts that quickly spread through the network.

Twitter Clickjacking: "Don't Click"

The Twitter clickjacking bug wasn't really a major threat, it seems, but more of a minor annoyance. Here's what happened: Someone would post a message saying "don't click," along with a masked URL. If you clicked the link, the same message would automatically get posted onto your Twitter account. One of your friends, then, would end up seeing your message, getting curious, and clicking it -- thereby creating a viral-spread sort of effect.

"Don't click" -- good ol' reverse psychology at its finest. Guess that stuff really does work. (Note to self: Start handing out phone number to attractive ladies with note saying: "Don't call.")

The Truth Behind the Tweeting

So what was really going on here? The cool cats over at the Sunlight Labs say it was all about the iframes. "What this 'virus' does is it creates an iframe of the page, hides it, and when you click that button and you're logged into Twitter, it makes you post that message (even though you don't see it)," Sunlight Labs Director Clay Johnson explains in his blog. "There's not a bit of javascript involved," he says.

You can see the full code of the bug translated into English here. Of course, all you can really do is read it. It won't work anymore.

Twitter Fixers

Twitter's team was able to stop the bug in a matter of hours. "The 'don't click' + link thing is a 'clickjacking' hack," Twitter CEO Evan Williams wrote around 1:30 p.m. ET. "Don't click it. Fix going on now," his tweet instructed.

Within moments, Operations Engineer John Adams -- better known to followers as "Netik," his Twitter handle -- announced the flaw was fixed.

"We patched the 'don't click' clickjacking attack 10 minutes ago," he noted. "Problem should be gone."

Twitter's official blog now provides a bit more insight:

"Thankfully, the harm was restricted to constant reposting of the link, but we take malicious attacks on Twitter users very seriously and this morning we submitted an update which blocks this clickjacking technique."

Whew. At least we can rest at ease knowing that Hammer stayed safe from this thing. That guy is way too legit to click.

(Sorry. Couldn't resist.)

Subscribe to the Security Watch Newsletter

Comments