‘Don’t Click’ Attack Strikes Twitter Users

Using the simplest of social engineering hacks — an enticing message with a link, labeled “don’t click” — a “clickjacking” exploit of the Twitter microblogging service flooded its network today, hijacking users’ status to spread itself before the link could be shut down.

The exploit’s link — http://tinyurl.com/amgzs6 — relied on a URL hidden through use of the TinyURL link-shortening service. The hack was shut down early this afternoon by TinyURL’s founder, Kevin Gilbertson, after Twitter users notified him of the attack.

“On my end, I just got some e-mails mentioning it. So once I found that out, I terminated the URL like I do with other abuse instances,” Gilbertson told InternetNews.com. He added that he replaced the forward of the URL with a notice that the URL had been terminated due to a breach of TinyURL’s terms of service.

Before the link was blocked, however, it managed to place a major strain on Twitter’s infrastructure. At several points, visitors to the service’s Web site were greeted by a page saying that the site was over its message capacity. Twitter spokespeople did not return requests for comment.

The attack marks one of the highest-profile instances of clickjacking — a type of attack that tricks users into clicking a hidden element that triggers additional elements or actions.

“A friend of mine had been suckered into it, and I nearly clicked on it myself, it was so tempting,” said David Troy, president of Roundhouse Technologies, a Baltimore-based social networking software development company.

The attack was “a simple, stupid little exploit,” Troy said. “They figured out a way to launch an IFrame [a small browser window embedded in a page] that has a copy of the Twitter site in it, that was scaled down so small that you didn’t notice it.”

Troy said that when the exploit launched that IFrame, it created a Twitter post that included the URL and seemed to originate from the user.

“Somehow they managed to automate [it] and get [the attack URL] sent just simply by opening that IFrame,” he added.

Troy said he believed the exploit hinged on the fact that Twitter allows status messages to be sent as an HTTP “GET” request — the sort of request browsers send to fetch a Web page.

TinyURL’s Gilbertson said this was the second time a TinyURL was used as a Twitter exploit, to his knowledge.

“There have been other instances of other people linking to viruses. We run every URL through a virus scanner, but that still doesn’t catch everything,” he said. “There are problems like that, and that’s something I try to keep on top of to make sure TinyURLs are safe to go to.”