The Twitter “Don’t Click” clickjacking stampede

Yesterday, many Twitter users were swamped with messages saying “Don’t Click”, pointing to what appeared to be a web link.

Naturally, humans being what they are, the “Don’t Click” got clicked on. A lot.

Bzzt. That wasn’t a good idea, because when they they did a Tweet was sent from their own account with the same “Don’t Click” message and link.

The tweetosphere was soon awash with “Don’t click” messages, followed by people panicking that they hadn’t knowingly sent the message.

Dont click

Undoubtedly many people clicked on the link because they believed it had been knowingly posted by their friends on Twitter – a healthy reminder for people to be more cautious of how they behave on social networks.

Not everyone who clicked fell foul, of course. For instance, users of the Firefox web browser who were sensible enough to have installed the NoScript plug-in had the clickjacking attempt intercepted:

Dont Click clickjacking attempt blocked by NoScript

(NoScript image source: Andrew Mason’s Flickr photostream).

Fortunately, on this occasion, the clickjacking was more of an irritating nuisance than malicious and Twitter updated their systems to prevent the attack from spreading further. Twitter co-founder Biz Stone blogged about the issue, providing more information to users:

Twitter clickjacking

As Twitter continues to grow in popularity we’re likely to see more attempts to abuse the system, some of which – in the future – are bound to be more malicious than mischievous.