The “Don’t Click” TwitterBomb

So this Twitter bomb is spreading like wildfire – it works by overlaying the Twitter page in an invisible iframe (spotted by @peterc).

As most people stay logged in to Twitter, when they click the ‘Don’t click’ button (who can resist?!), it actually submits a tweet for you.

I’m not sure if this is exploiting any vulns at all. Some people are crying out ‘XSRF!!’ etc, but I’m not sure this is the case.

See attached screenies for firebug explanation :)

Twitbomb - before

Twitbomb - after

See Simon Willison’s presentation on web security for a more thorough explanation of click jacking and other exploits.

update: looks like Twitter have reacted

1 Comment »

  1. Clay Johnson said,

    February 12, 2009 @ 7:27 pm · Edit

    We did a little research over on Sunlight Labs as well on Don’t Click:

RSS feed for comments on this post · TrackBack URI

Leave a Comment

You must be logged in to post a comment.