Thursday, 12 February 2009

Do Click: twitter vulnerability

If you are at this page, you probably clicked on a "Do Click" link on twitter.

Well done - you know how to follow instructions. If you were one of those rebellious types, you might have clicked on the "Don't Click" link which is also propagating on there.

Fortunately you aren't like that. If you were, you would probably have been the victim of a cross-site scripting vulnerability (explanation at Coding Horror). This runs some Javascript which starts posting messages in your name on twitter.

In this case the message seems relatively harmless - it simply posts another copy of itself to try to spread itself to other twitter users. But, not having clicked on it, I can't say for sure that it is innocuous. In general it's dangerous to click on this kind of thing.

One way around this is to insist on using the 'preview' feature on tinyurl. Any tinyurl link (such as the one that's being passed around with the "Don't Click" message) can be modified by putting "preview." in front of it. For example, instead of

If you use this, then you will see the URL of the site you're being forwarded to, giving you a chance to decide whether to click through. You then get to use your judgement in deciding whether to click or not.

In the case of the "Don't Click" message, you would have seen a URL ending in .php within the directory

I went to the above site manually, omitting the PHP link - and decided it didn't look very trustworthy. Therefore I didn't click on the link.

Plus, common sense should warn you off when someone sends you the message "Don't Click". Most of us have learned not to click links like that in our emails.

Didn't anyone tell you at school that "gullible" isn't in the dictionary? xkcd warned us about this just two days ago.

Here is a page discussing an older version of this problem.

No comments: