Twitterers Spooked By Clickjacking
Seems like popular websites go through stages: early buzz and adoption, mainstream media recognition, funding and monetization brainstorming, meteoric growth, the how-easy-is-it-to-hack stage, the marketer gaming stage, the juggernaut stage, and finally, the full corporate-government conspiracy stage. Twitter, it would appear, is in the how-easy-is-it-to-hack stage.
2009 has already been a rough year for Twitter in terms of hacker exploits. Yesterday, lots of Twitterers were clickjacked. The most basic explanation of clickjacking is when a user is fooled into clicking a link via embedded code or script loading a site into an iframe and offering a clickable phony link to someplace awful. Often it’s used to get log in or financial information.
In Twitter’s case, it almost seems like a test run to freak a lot of people out. Some users saw the words “Don’t Click:” followed by a link. Either because that particular phrase has the same reverse power as its cousins Don’t Look, Don’t Fall, and Don’t Drop It, or because they thought their friends on Twitter were messing them, many people clicked the link they were told not click.
The result? The message and link posted to that person’s account and followers, perpetuating a very annoying cycle and causing users to have mild I’ve-been-hacked freakouts.
Twitter founder Biz Stone acknowledged the incident on his blog and said the Twitter crew had updated the site to block the clickjacking technique.
For those worried about clickjacking when not on Twitter, Graham Clulely at Sophos recommends FireFox’s NoScript plug-in, which posted a warning about the attempt the first time.