Curiosity drives Twitter "social virus"

If you were hanging out on Twitter today, you probably noticed a lot of very similar Tweets coming through, saying "Don't Click" followed by a shortened URL.

Many people, upon receiving that Tweet, immediately clicked the link, which took them to a page with a "Don't Click" button. And when they clicked on that button (assuming they were logged into Twitter in their web browser) they ended up posting a Tweet from their account. This Tweet repeated the original message: "Don't Click" followed by a shortened URL. Which all their Followers clicked. And so on.

The end result of this was huge numbers of "Don't Click" Tweets, a lot of puzzlement on the part of the Twitter community, and nothing more serious. This time at least.

The security community immediately got to work investigating the event and found that it was accomplished via clickjacking. Chris Shiflett has a done a great job of explaining the exploit, as has Sunlight Labs. This wasn't a case of using clever javascript or any scripting at all. It was just done with an IFrame, pulling the Twitter page into the "Don't Click" page and populating the Status Update box on the Twitter page. However the IFrame was rendered invisible via CSS. You thought you were clicking this "Don't Click" button on the page, but you were actually clicking the (now invisible) Update button on the embedded Twitter page. If that went over your head, the links above step through it much more clearly.

To their credit, the Twitter Engineers blocked the problem very quickly, and no real harm was done. But their fix isn't bulletproof, as Jeff Jones discovered.

In some ways, the most interesting part of this story was the way it was the "virus" was distributed. Apparently the very best way to get people to click on something is to label it "Don't Click"!

Posted in: Security,Virus