The Twitter "Don't Click" clickjacking stampede

Filed Under: Social networks, Twitter

Yesterday, many Twitter users were swamped with messages saying "Don't Click", pointing to what appeared to be a web link.

Naturally, humans being what they are, the "Don't Click" got clicked on. A lot.

Bzzt. That wasn't a good idea, because when they they did a Tweet was sent from their own account with the same "Don't Click" message and link.

The tweetosphere was soon awash with "Don't click" messages, followed by people panicking that they hadn't knowingly sent the message.

Dont click

Undoubtedly many people clicked on the link because they believed it had been knowingly posted by their friends on Twitter - a healthy reminder for people to be more cautious of how they behave on social networks.

Not everyone who clicked fell foul, of course. For instance, users of the Firefox web browser who were sensible enough to have installed the NoScript plug-in had the clickjacking attempt intercepted:

Dont Click clickjacking attempt blocked by NoScript

(NoScript image source: Andrew Mason's Flickr photostream).

Fortunately, on this occasion, the clickjacking was more of an irritating nuisance than malicious and Twitter updated their systems to prevent the attack from spreading further. Twitter co-founder Biz Stone blogged about the issue, providing more information to users:

Twitter clickjacking

As Twitter continues to grow in popularity we're likely to see more attempts to abuse the system, some of which - in the future - are bound to be more malicious than mischievous.

, ,

You might like

About the author

Graham Cluley runs his own award-winning computer security blog, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.