This "Don't Click" virus may have the great benefit of giving CSRF (Cross-Site Request Forgery) the sort of front-page news that will spur developers of social sites to adopt safe(r) cookie practices. ...and more and more sites are adopting at least some cookie-based social features.
Demonstrations that the (apparently) innocent "Don't Click" virus is poorly defended against at Twitter will likely mean that more nefarious and damaging are being cooked right now. Neophyte developers like myself keep having to remind myself that there more stringent rules need to be applied to surfing from same browser as used for database access such as phpMyAdmin:
http://news.ycombinator.com/item?id=209457
This wasn't CSRF, but clickjacking, aka UI redressing. CSRF protection does nothing against it. There are some ways to attempt to defend against it but I don't think there is any 100% reliable way yet.
Thank you for clarification. It seems that Twitter thinks (http://blog.twitter.com/2009/02/clickjacking-blocked.html) they are reliably defending against it. Someone will soon be trying to determine if theirs is "100% reliable" yet.
Clickjacking has been known about for over a year. When will companies start to proactively fix these kind of exploits? It always seems to take a "sample" exploit first.
Demonstrations that the (apparently) innocent "Don't Click" virus is poorly defended against at Twitter will likely mean that more nefarious and damaging are being cooked right now. Neophyte developers like myself keep having to remind myself that there more stringent rules need to be applied to surfing from same browser as used for database access such as phpMyAdmin: http://news.ycombinator.com/item?id=209457
For other noobs like me, the wikipedia entry should strike the fear of black-hatting in you: http://en.wikipedia.org/wiki/Cross-site_request_forgery