Explaining the “Don’t Click” Clickjacking Tweetbomb

TinyURL shut down the redirect quickly and Twitter has responded, but the same attack could arise unless measures are taken. Of which, more later.

Well, yeah, they reacted quickly once an English version made the rounds amongst popular US bloggers, but the French version had been running the Twittersphere, unnoticed, for a week.

The hack is an example of clickjacking. (I’ve heard the term a lot, but only understood its meaning after the investigation of this tweetbomb described here.) […]

Firstly, it’s using an iframe to embed Twitter.com on the page. The iframe is essentially invisible, due to the CSS structure […]

We can see from the CSS z-indexes, the iframe is on top of the button. And we can see from the iframe’s opacity that it is completely invisible. Hmmm… so it’s on top, but completely invisible. If there was a button there, you wouldn’t be able to see it, but you would still be able to click on it.

This is very clever — basically relying on transparent iframes (and I agree with Gruber’s point: why should iframes be allowed to be transparent?) and Twitter’s unvarying home page layout to trick you into clicking the “Update” button without knowing it.

And the fix only works if your browser has Javascript enabled; if it doesn’t, you’re still vulnerable, and it would be pretty complicated for Twitter to fix that. (Unless they stop accepting update text to be sent as a URL parameter, but I guess they implemented this so that some scripts or external sites could use the functionality.)