• On CHOW: Sexy vampire party
February 12, 2009 11:12 AM PST

Twitter hit with 'Don't Click' clickjacking attack

by Elinor Mills

This graph shows how quickly the "Don't Click" tweets spread across Twitter.

(Credit: Sunlight Labs)

Twitter stopped a clickjacking attack on Thursday that quickly spread because it took advantage of social engineering and peoples' natural curiosity.

Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.

"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 a.m. PST.

The clickjacking appeared to be harmless and just propagated itself, according to a post on the Sunlight Labs blog.

The code "creates an iframe of the page, hides it, and when you click that button and you're logged into Twitter, it makes you post that message (even though you don't see it). There's not a bit of JavaScript involved. The only JavaScript on the page is their Google Analytics code," the Sunlight Labs post says.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News,

Vulnerabilities & attacks

Tags:

Twitter,

security,

virus

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
Microsoft to fix holes in Windows, Office
Google privacy controls: Most people won't care
Zero-day flaw found in Web encryption
Mac Game: Art project or malware?
Corporate bank accounts targeted in online fraud
Hacker breaks into jailbroken iPhones, asks for $7
Malwarebytes accuses rival of software theft
Security firm M86 acquires Finjan
Related
Dedicated tweeting gadget TwitterPeek launches
Spiff up your Twitter profile with photos, video
Kaspersky tool detects malware in Twitter links
Track your tweets with iPhone app Tweetie
AVG LinkScanner can detect malicious short URLs
Integrated retweet on its way to Twitter
Hands-on with Twitter Lists
Why Hollywood needs to hear more about Twitter
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
by mexic0 February 12, 2009 12:07 PM PST
So does this work only if you are logged onto your twitter webpage?
Reply to this comment
by ppratik96 February 12, 2009 12:49 PM PST
Well yeah but you probably have to logged in to see the the tweet anyway so when you click on the link you will be logged on.
by Ignoranceisslavery February 13, 2009 9:06 PM PST
IM SO HAPPY. Twitter IS Lame and I hope it crashes and burns. Seeing the article on my Feed Actually made me smile. THANK YOU PRANKSTER.
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

FAQ: Buying the right Windows 7 upgrade

Readers still have lots of questions on just which version of the software they need to buy in order to upgrade their PC. CNET News tries to offer some answers.

N.Y. lawsuit details Intel's 'largesse' toward Dell

Attorney General Andrew Cuomo's federal antitrust case filed Wednesday alleges a longstanding symbiotic relationship between Intel and Dell.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET