So if you are on twitter and you’ve seen the “Don’t Click: http://tinyurl.com/amgzs6″ status message, seriously. Just don’t click it. @apeatling was first on my list to state that it was a bad thing to do and it got me into investigative mode. Besides viewing the source, I found a site explainin how all the so-called “magic” happens, and if you can read French check it out: http://www.korben.info/petit-cours-de-twitt-jacking.html
It’s quite simple actually, it relies on an embedded iframe that visits the url: http://twitter.com/home?status=”http://tinyurl.com/amgzs6″. Now everone that’s following you will see the same message you on on that friend and who konws who’ll click on it and propogate the badness.
Twitter needs to (and I’m sure by the time most people read this it should be fixed) check the referral on any API call, of course this is just *one* way to help fix the problem.
I then looked into the rest of the site and see how I could exploit DM messages and anything else (on the advice of @quaelin). I theorize that you can use XHR to grep the twitter ID of any user you’re following and then DM them message. The same idea applies, use “http://twitter.com/direct_messages/create/xxxxx” (where xxxx is the twitterID of a particular twitter account) construct an http POST, pushing in the authentication_token value, and wham you got your script sending DM’s to everyone.
I’m deliberately leaving out a lot of details, but in short this sucks. The same methods could be applied to many other sites, it’s not just Twitter that has to worry about this.
Follow me on twitter here: http://twitter.com/marklise
Apparently Twitter “fixed” it. See their description here.
I’m curious how they achieved this “fix”.
Their fix was: if (window.top !== window.self) { window.top.location.href = window.self.location.href; }