• On TechRepublic: Five super-secret features in Windows 7
advertisementGet Smart about Business Spending
February 12, 2009 11:12 AM PST

Twitter hit with 'Don't Click' clickjacking attack

by Elinor Mills
  • Font size
  • Print
  • 3 comments

This graph shows how quickly the "Don't Click" tweets spread across Twitter.

(Credit: Sunlight Labs)

Twitter stopped a clickjacking attack on Thursday that quickly spread because it took advantage of social engineering and peoples' natural curiosity.

Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.

"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 a.m. PST.

The clickjacking appeared to be harmless and just propagated itself, according to a post on the Sunlight Labs blog.

The code "creates an iframe of the page, hides it, and when you click that button and you're logged into Twitter, it makes you post that message (even though you don't see it). There's not a bit of JavaScript involved. The only JavaScript on the page is their Google Analytics code," the Sunlight Labs post says.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News,

Vulnerabilities & attacks

Tags:

Twitter,

security,

virus

Share:
Digg
Del.icio.us
Reddit
advertisement
Click Here
Recent posts from Security
Pub fined $13k for Wi-Fi copyright infringement
Tips for safe online shopping
Big changes in Security Starter Kit 2010
Confidential 9/11 pager messages disclosed
Microsoft warns of IE exploit code in the wild
Chrome OS security: 'Sandboxing' and auto updates
E-tailers snagged in marketing 'scam' blame customers
McAfee warns about '12 Scams of Christmas'
Related
Dedicated tweeting gadget TwitterPeek launches
Report: Twitter still 'missed opportunity' for Fortune 100s
Twitter's geotagging API goes live
Integrated retweet on its way to Twitter
LinkedIn's platform loosens up
Mint makes Twitter an investor hub
Brizzly opens up...and translates
Watch out, TwitPic: MMS to Twitter now in U.K.
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
by mexic0 February 12, 2009 12:07 PM PST
So does this work only if you are logged onto your twitter webpage?
Reply to this comment
by ppratik96 February 12, 2009 12:49 PM PST
Well yeah but you probably have to logged in to see the the tweet anyway so when you click on the link you will be logged on.
by Ignoranceisslavery February 13, 2009 9:06 PM PST
IM SO HAPPY. Twitter IS Lame and I hope it crashes and burns. Seeing the article on my Feed Actually made me smile. THANK YOU PRANKSTER.
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

The browser battles go on and on

roundup From Firefox to IE and from Chrome to Opera and Safari, there's no sitting still for browser makers looking to keep their products fresh and competitive.

3G wireless still holds promise

The next generation of 4G wireless may get all the headlines, but advanced 3G technology will likely dominate services for the next few years.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET