Before I get started, I would just like to confirm there is absolutely no reason to change your Twitter password. That’s right. Your password is safe even if you fell for the don’t click scam.
A harmless virus has been seen on Twitter over the last couple of weeks. It manifests itself as a tweet from someone which simply reads ‘Don’t click {link}’
If you are logged into twitter and you click the link, followed by a link on the following page which also reads ‘Don’t click’ then an identical message is posted without your knowledge to your own feed.
How? I hear you ask.
Well the simple way to put it is that the site you are taken to, hides your twitter home page over the top of it’s own content. They then prefil the tweet form with some text and position the ‘Don’t click’ button in exactly the same place as the ‘update’ button on twitter. Put simply you post to your own feed without even knowing.
The geeky version is that they hide your twitter home page in a hidden iframe and prepopulate your tweet box. They then match up the two buttons so that when you click ‘Don’t click’, you are actually clicking to update your feed.
So what have twitter done to stop it?
Well on the twitter blog they say “this morning we submitted an update which blocks this clickjacking technique”. What they have actually done is just made it harder for other sites to include twitter within their own site. They implemented a fix using javascript, which 95%+ of internet users have enabled. The actual code twitter used is:
if (window.top !== window.self) { window.top.location.href = window.self.location.href; }
Which basically says: If twitter is in a frame, redirect so twitter is on top and isn’t in a frame.
So not only are there still 1000’s of vunerable sites. The problem is that using the same code Twitter have will stop plenty of fair and helpful uses of frame based sites.
Oh, and for once if you have javascript disabled, you are still vunerable. Now there is a refreshing change.