How The “Don’t Click” Twitter Hack Works
I began to see "Don’t Click" posts appearing in my Twhirl client from a few different users. Then came the warnings not to click the links in those tweets as that would tweet a "Don’t Click" from my own account. Being curious (and careful), I decided to figure out how this could work. First, I would like to recommend that you don’t follow my steps unless you know what you’re doing. This instance is relatively benign (annoying, but benign) the next instance could result in virus/trojan infestation.
- You see "Don’t Click" posted by one of your Twitter Friends. Being the curious sort, you click on the link.
- The page that loads contains an iFrame. This iFrame loads up Twitter.com with another "Don’t Click" message pre-filled out. So far, this isn’t a threat of any kind. Websites can do this all they want, they just can’t interact with the contents of the iFrame (beyond loading up completely new contents). The website doesn’t have access to your Twitter Username or Password.
- The iFrame is set via CSS to be transparent. This means that it’s there and clickable, but you don’t actually see it.
- A "Click Here" button is shown and positioned (via CSS) right where the Twitter.com page’s submit button is.
- You, again being the curious sort, try to click the "Click Here" button.
- Instead of clicking "Click Here", your browser clicks on the Twitter Submit button (located on top of the Click Here button but invisible to you).
- Twitter posts a "Don’t Click" message in your name.
It is quite clever, but it still requires two user actions. First, you need to click on the "Don’t Click" link. Next, you need to click on the "Click Here" button. This whole hack wouldn’t work if Twitter.com didn’t support pre-filling out messages, but those pre-filled out messages can come in handy from time to time. So what can Twitter do to prevent this? To be honest, I don’t know. They’ve said that they’re working on it, but (short of removing the "pre-filled message" functionality), this prank uses standard HTML/CSS conventions. For now, though, the easiest way to prevent this is not to click on those links or, if you do, don’t click on the second link.