Daniel Sandler on How the Twitter ‘Don’t Click’ Trick Worked

A lot of panicked Twitter users thought their account had been compromised, but it was far simpler than that:

The attack page creates a button labeled “Don’t Click” that does nothing at all, but it also loads twitter.com in an <IFRAME> directly on top of the button. That IFRAME is then made completely transparent using CSS.

When you click the button, you’re actually clicking on the (now invisible) ‘Update’ button on Twitter’s web interface instead; assuming you’re logged in to Twitter, you’ll immediately post whatever’s in the form input box.

Is there a good reason why browsers should allow <iframe> elements to be transparent?

Thursday, 12 February 2009