You probably noticed a swarm of messages on Twitter today saying “Don’t click” followed by a tinyurl. Even though it’s been around for a while, it really took off today. What’s happening is you get brought to a page with a button that says “Don’t click”. Naturally your first instinct is to defy orders and do it anyway. What you don’t see is a hidden iframe on that page containing your Twitter homepage.

This is what you see

This is what you don't see

The person responsible for this little “hack” (@korben) has claimed on his blog that it doesn’t do anything bad, but rather is an example of what you can do with some CSS, a frame, and some ingenuity. The author also claims there is no solution to prevent this other than to use the NoScript addon for Firefox. Twitter CEO Evan Williams (@ev) called it “clickjacking” and says they’ve already pushed a fix for the problem.

If you did fall prey to this little game, we recommend that you change your password just in case. Always exercise caution and check search.twitter.com to see what others are saying before you dive in headfirst.

For the second time in three days, Twitter finds itself as the target of a malicious attack. On Saturday, a phishing scam was running through direct messages. Today, we’ve received word that certain well-known Twitter users have found tweets injected into their timeline. Victims include President-Elect Obama, Bill O’Reilly of Fox News, Rick Sanchez of CNN, and Britney Spears.

This is another warning message to the rest of us. Even though you probably haven’t been compromised, you need to be watching your own stream for strange tweets. If you’re afraid you’re going to be a victim, change your password. If you see something in there that you didn’t put there, change your password. Here are some tips to creating a safe password.

If you see anything fishy, send a tip to tips [at] microblink [dot] com.

Update: Twitter’s Status blog claims they’ve found the cause and blocked it and are working to restore the compromised accounts.

Update 2: Twitter’s official statement says that 33 accounts were compromised. They’re also saying that it was a separate incident from the weekend’s phishing scam.

A new phishing attempt has been circulating tonight that’s being distributed through direct messages. If you receive a direct message like this, delete it immediately. Do not click the link.

The direct message will include the following text and link:

hey! check out this funny blog about you… jannawalitax.blogspot.com

As a measure of courtesy, you might want to inform the user who sent it to you that they’ve fallen victim. You can send them a reply or a direct message, whichever one you feel is more effective.

Protect Yourself

The link will take you to a site that looks very much like Twitter - but it is not. It’s a third-party site (twitter.access-logins.com) that just wants your password so it can spread further.

It’s important to note that you should really treat direct messages like you treat email. As always, we advise practicing caution when using your Twitter credentials. If it looks suspicious, it probably is.

Oops! I clicked on the link, now what?!

If you did log in at the phishing site, change your password immediately. Without a valid password, there’s nothing the phishers can do on your behalf. Unfortunately, there’s not much else you can do right now. If we hear about an official point of contact, we’ll list it here.

Twitter’s On It

Biz Stone tweeted earlier that the operations team at Twitter is working on the issue, so expect to see a resolution fairly quickly. There’s also a post on the issue on the Twitter Status blog. We just wanted everyone to be aware of the issue before it affects you. We, and many others, have sent out warnings through Twitter – please do your part and retweet or redistribute the link to this article.

Update: It looks like the phishers are also hitting Facebook, as pointed out by @jamescarr (via @hillabean). Beware of anything linking to access-logins.com. Rob also pointed out that Firefox is reporting anything at that domain as web forgery.

Update 2: Twitter has a great post on their blog about what phishing is and what you can do to avoid phishing scams.

UPDATE 1: Ryo posted a follow up message on the Twitterank blog.

UPDATE 2: Ryo really was working to create a new type of ranking algorithm for Twitter users.

Earlier today I noticed several people posting messages on Twitter about their Twitterank, a new grading system developed by Ryo Chijiiwa (@ryochiji).

I was fairly busy throughout the day and didn’t stop by to check it out, but now I’m glad I didn’t. If you take a look at Twitter Search, you’ll notice a few peculiar terms trending this evening: Twitterank, Gullible Twitter and My Twitterank.

The first tweet I saw tipping me off that Twitterank was a “scam” was from Jeremy Bingaman (@iowaradioguy), linking to a TwitPic from Nate Ritter (@nateritter) of the source code behind the site.

The commented out message reads:

I am about to ask you for your Twitter user ID and password. You should be afraid. This is where you ask yourself, “Do I really want to find out my twitterank badly enough to give some random dude on teh interweb my account info?” And if that’s not what you’re asking yourself, shame on you.

Hi! Yes, the text you see above was there when Twitterank first launched, because giving away your user name and password to untrusted 3rd parties really is a bad idea. I took it out because it was verbose, and it didn’t seem to deter people.

Though Ryo doesn’t seem to be interested in the usernames and passwords of individuals’ Twitter accounts, he did prove a point, as Tom Chapin suggested earlier this afternoon:

All that being said, if you visited Twitterank today and checked your “score”, first stop and take a moment to change your Twitter password. Then, the next time a web app comes along asking for your login credentials for anything, find a way to verify the people behind it and whether or not they really need those details.

UPDATE 1: The site’s creator posted a follow up message on the Twitterank blog, answering a few questions:

Are you a phishing site? Are you going to steal my account? etc..etc..

No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.

Why do you need my password to begin with?

There’s some data I use (but not store) that I need to calculate your Twitterank. There are ways for Twitter to make that data available without requiring you to give out your password to 3rd party sites (Facebook, Yahoo! and others have such systems) but Twitter doesn’t yet offer those options to developers. As soon as Twitter adds more secure authentication mechanisms, I’ll switch to that.

Although it seems he actually was trying to create some sort of ranking system, it appears the larger objective was to poke holes in Twitter’s API and therein the security of its users.

He could have gone about making this point in a different way, but sometimes it takes events like this to get people to pay attention.

UPDATE 2: As you’ll notice below, Ryo chimed in and noted he really was working to create a new type of ranking algorithm for Twitter users. We also changed the title of our post to reflect this sentiment. However, with the way this site swept across Twitter and the somewhat ugly feelings people have about the way things went down, I’ll bet that Ryo may have a somewhat difficult time getting people on board to use his apps.