haha, I saw something quite cool and possibly scary today.
One of the people I follow had a tiny url with message “don’t click” so, of course, I clicked it and was presented with a blank page containing one button. Of course, I clicked that button too but nothing happened… until I saw people replying to me saying “no I didn’t” , turns out that when I clicked the button, I was actually sending the link to my own public timeline!! how? well, some french guy made a post about how to automatically send a tweet acting as the person who clicks a button by using an iframe and some simple css. I don’t know if he was the first twitter jacker but I’m sure he wont be the last!
It’s something that is spreading around twitter. As I type this, “Don’t Click” is a trending topic on twitter search…
The click of the button labeled “don’t click this” was actually the button of Twitter’s home page. You can’t see the rest of the page but when you click (well, most people would!), you are actually clicking on the update button for twitter.
The message is added by urlencoding a message on to the end of the twitter home page, thusly;
http://twitter.com/home?status=
and the urlencoded (changes spaces and other special characters to their hex equivalent) goes after…
I+luv+the+commentluv+plugin%21
As long as you’re logged in to twitter, clicking this link will show a message of my choosing in your own update field. If I used html to insert an iframe into a page with a button I made. All I would have to do is set the opacity of the iframe to 0 and position it so the update button is (invisibly) over the button I put on the page. (don’t worry, I didn’t do any shenanigans with the link above).
I did a quick bash up of some html (lol, no javascript needed) to see if I could do it and, well, it’s a piece of piss really. I decided not to show it to you as a working example because I am pretty sure that the Twitter T.o.S. doesn’t like anything to do with posting on someones behalf by misleading them. (impersonation violation?)
You can read some ways to prevent this from being used against you on this rather fine post.
Another way to detect it, is to have a script that faintly outlines any iframes on the page so you can see if there’s a doin’s goin’ on! I think I smell tomorrow’s project! 
(either that or petition Twitter to have frame breaking script on any page that a user has text input and update buttons on).
12.02.09 7:38 pm
[...] Why did I just click this link? I got twitter-jacked! – Andy Bailey [...]
#112.02.09 7:38 pm
Thanx for posting this information, along with how this got accomplished!
#213.02.09 1:13 am
OMG I cant help not clicking on anything that says dont click here,
I wonder ifi coulde set up a clickable ad and make some money like that
#313.02.09 1:20 am
cj: it’s not that hard, I don’t recommend it though. If you get caught, and it’s not hard to check for it, then you’re in for a banning!
movie guy: there’s lots of ‘dark’ ways to use this method but almost all will cause you to get caught before you can cash in your first payment!
Andy Bailey´s last blog post..Blogger CommentLuv gets updated with new features
#418.02.09 8:40 pm
Twitter: lottomad
Sounds a bit complex and wierd to me, but then again I dont get Twitter either, I mean whats the point, I see it from a commercial/blogging point of view, but for someone just to say what they are doing?????????????
dave t´s last blog post..Daily Telegraph Fantasy Football Password for Wednesday 18th of Janurary (18/02/2009)
#518.03.09 12:36 am
Reverse psychology always works on me. If someone tells me not to look, I am definitely going to look. Apparently no means yes!
Kai Lo´s last blog post..Google Pagerank 0
#6