Where did the Twitter “Don’t Click” attack come from?
Twitter today went nuclear under the weight of a little hack dubbed the “don’t click” attack:
For a better description of how the attack worked than I could hope to write, I recommend you read Daniel Sandler’s page or Mack Staples’s writeup, both of which are excellent.
In brief, though, it was a tiny, simple web page with a button labelled “Don’t Click!”; hidden from the user, but overlaid with that website, was the Twitter homepage, with a tweet pre-loaded containing the text “Don’t Click http://tinyurl.com/aaaaa”. If the user clicked the “Don’t Click!” button, the browser sent the click to the Twitter homepage instead, which would post a tweet from the user. The tinyurl.com address leads back to the “Don’t Click!” button page. In this manner, it spreads from one user to another much like a virus.
How it worked was pretty simple; what interested me was finding the source of the hack, so I pounded on the advanced search in Twitter.com for a while. The earliest use of it in English I could find was from user @sfnick and dated 10:03 am on the 11th of February, showing that this attack spread rapidly once it was translated into English. However, digging further showed that this has been spreading around in French-language tweets for several weeks — with the prefix text “Le Truc du Jour”.
Searching Twitter for that phrase turned up a different tinyurl.com address, presumably leading to a similar attack page (although it has been disabled now so I cannot check). Tracing that different tinyurl.com further back in time eventually led me to this search which shows where the attack came from:
I contend that the user @umoor is where this attack came from, firstly, because he has the first three tweets in Twitter’s search index with the string and secondly, because the attack is hosted on the domain “umoor.eu”. All three of those tweets have been deleted from his history — I believe this was him testing the functionality of the exploit.
Amazingly, within minutes, the attack had spread to four more users — none of whom seem to follow @umoor. I would like to know what attack vector the URL was delivered by; it’s possible that they were all following @umoor at the time. If I worked for Twitter now, I’d be making some graphs of how this exploit spread from person to person — there is some fascinating research there.
@umoor, however, didn’t write the exploit. The exploit was detailed in theoretical form in a blog post by James Padolsey on Jan 20th, ten days before the search results from @umoor. Comparing the source code of James Padolsey’s example and @umoor’s in-the-wild hack show they are largely identical in details such as the ordering of CSS elements and HTML indentation, strongly suggesting that @umoor essentially cut-and-pasted Padolsey’s example.
On the left, the exploit source code from umoor.eu; on the right, Padolsey's example. Click to enlarge.
Additionally, at the bottom of his exploit page, @umoor links to (and credits) this page on the French-language site korben.info, which contains source code identical to that used in @umoor’s page. It’s not clear whether the information went from Padolsey->Korben->umoor, or if @umoor is involved in the Korben page is some way. (Edit — see the comment below from Korben himself, which confirms that my first explanation was correct).
Either way, @umoor doesn’t deserve any credit for figuring out the attack, and should probably be criticised for making a large number of people panic that their Twitter account had been hacked.
The truth is that i took the news from Padolsey
Then, i adapted it for my french readers with a PoC which was not a worm because the twitted links was a link to the homepage of my blog… Then umoor which is (i suppose) one of my reader, adapts the script to make it work like a worm (because the twitt message call the don’t click page) and call it “Don’t click”…
The rest of the story is well known…
Best regards
Well analyzed, Richard. Interesting assessment and probably exactly right. If startupz wasn’t following umoor, he probably saw it on the public timeline, clicked and there ya go. Hopefully startupz will respond to my tweet, and let me know where he found that initial link.
Hi there.
In order to make things clear, and to show that unfortunatly I’m not that smart nor clever I wrote a little post. I never intended to take the credit of the discovery, and that is why I stated my source.
So I suppose I can be criticised even thought my intention was to make people smile.
As stated by Korben my mistake was to put a tweet link to the original trick page.
http://www.umoor.eu/blog/general/the-dont-click-effect
Thank you, Korben, for clearing that up. And thank you for your kind words, Mack. I have added a link back to your excellently written technical description of the hack.
@startupz saw one of my tweets yesterday (he responded here) but hasn’t replied to the one I sent him (here). It would be interesting to track the epidomolgy of the first few hours, as it spread through the Twitter social graph.
Merci beaucoup for taking the time to reply, @umoor. I will admit that I was fooled by the exploit, and I smiled when I checked the source code to see how it worked. However I also saw a bit of panic from the non-technical people I follow on Twitter that their password had been stolen. I suppose the timing was unfortunate, as it came on the heels of that phishing scam a few weeks ago when people genuinely did lose their account details.
I do believe, however, that after watching it move quickly through the French-speaking Twitter community for two weeks, translating it into English on Feb 10th was rather cheeky!