I am a virus, don't click me unless you're a twit

Yesterday some spam-esque messages hit a portion of the Twitter population. Twitter spam is nothing new, but there is a twist to this case. The Twitter messages read:

don't click: http://tinyurl.com/amgzs6

If you did click the URL anyway despite the warning, you were brought to another page that had another "don't click" button on it. If you clicked that button (again, ignoring the warning), you would become a victim to a clickjacking (twit jacking?) attack on your twitter account. The author of this clickjacking demonstration actually documents the whole brouhaha in his blog.

TinyUrl removed the offending URL, and Twitter added some frame-busting Javascript code to their pages in order to make them less "clickjackable." But what is probably the most concerning outcome of this whole situation is that users' curiosity trumped security education. They were warned to not click something, twice, and they did it anyway. Twitter admins had to actually send a message to people stating the obvious:




But then again, if the mass majority of people will tell you their password for a candy bar, I suppose we shouldn’t be that surprised.

Happy Friday the 13th!
- Jeff