The “Don’t Click” TwitterBomb
So this Twitter bomb is spreading like wildfire – it works by overlaying the Twitter page in an invisible iframe (spotted by @peterc).
As most people stay logged in to Twitter, when they click the ‘Don’t click’ button (who can resist?!), it actually submits a tweet for you.
I’m not sure if this is exploiting any vulns at all. Some people are crying out ‘XSRF!!’ etc, but I’m not sure this is the case.
See attached screenies for firebug explanation :)
See Simon Willison’s presentation on web security for a more thorough explanation of click jacking and other exploits.
update: looks like Twitter have reacted
Clay Johnson said,
February 12, 2009 @ 7:27 pm · Edit
We did a little research over on Sunlight Labs as well on Don’t Click:
http://bit.ly/kj1z9