Twitter Clickjacking Attack Causes Post-Awards Annoyance
Twitter Nation, stand down: The clickjacking attack plaguing Twitter this Thursday has now been fixed.
Less than 24 hours after the first official awards show honoring Twitter users (and to any skeptical non-Twitter types, I am not making this up -- it was called the Shorty Awards and MC Hammer was there), someone started a social virus of sorts that quickly spread through the network.
Twitter Clickjacking: "Don't Click"
The Twitter clickjacking bug wasn't really a major threat, it seems, but more of a minor annoyance. Here's what happened: Someone would post a message saying "don't click," along with a masked URL. If you clicked the link, the same message would automatically get posted onto your Twitter account. One of your friends, then, would end up seeing your message, getting curious, and clicking it -- thereby creating a viral-spread sort of effect.
"Don't click" -- good ol' reverse psychology at its finest. Guess that stuff really does work. (Note to self: Start handing out phone number to attractive ladies with note saying: "Don't call.")
The Truth Behind the Tweeting
You can see the full code of the bug translated into English here. Of course, all you can really do is read it. It won't work anymore.
Twitter's team was able to stop the bug in a matter of hours. "The 'don't click' + link thing is a 'clickjacking' hack," Twitter CEO Evan Williams wrote around 1:30 p.m. ET. "Don't click it. Fix going on now," his tweet instructed.
Within moments, Operations Engineer John Adams -- better known to followers as "Netik," his Twitter handle -- announced the flaw was fixed.
"We patched the 'don't click' clickjacking attack 10 minutes ago," he noted. "Problem should be gone."
Twitter's official blog now provides a bit more insight:
"Thankfully, the harm was restricted to constant reposting of the link, but we take malicious attacks on Twitter users very seriously and this morning we submitted an update which blocks this clickjacking technique."
Whew. At least we can rest at ease knowing that Hammer stayed safe from this thing. That guy is way too legit to click.
(Sorry. Couldn't resist.)