• On TV.com: New TV sex symbol: Vintage black PORSCHE
February 12, 2009 11:12 AM PST

Twitter hit with 'Don't Click' clickjacking attack

by Elinor Mills
  • Font size
  • Print
  • 3 comments

This graph shows how quickly the "Don't Click" tweets spread across Twitter.

(Credit: Sunlight Labs)

Twitter stopped a clickjacking attack on Thursday that quickly spread because it took advantage of social engineering and peoples' natural curiosity.

Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.

"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 a.m. PST.

The clickjacking appeared to be harmless and just propagated itself, according to a post on the Sunlight Labs blog.

The code "creates an iframe of the page, hides it, and when you click that button and you're logged into Twitter, it makes you post that message (even though you don't see it). There's not a bit of JavaScript involved. The only JavaScript on the page is their Google Analytics code," the Sunlight Labs post says.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Topics:

News,

Vulnerabilities & attacks

Tags:

Twitter,

security,

virus

Share:
Digg
Del.icio.us
Reddit
advertisement
Click here!
Recent posts from Security
McAfee warns about '12 Scams of Christmas'
Cisco launches iPhone security app
Town to photograph every car that enters and leaves
New Firefox 3.6 beta aims to cut crashes
Facebook adopts new privacy policy
T-Mobile UK says workers sold customer data
FAQ: Recognizing phishing e-mails
Report: Countries prepping for cyberwar
Related
Dedicated tweeting gadget TwitterPeek launches
Spiff up your Twitter profile with photos, video
Report: Twitter still 'missed opportunity' for Fortune 100s
Kaspersky tool detects malware in Twitter links
Track your tweets with iPhone app Tweetie
Twitter's geotagging API goes live
Integrated retweet on its way to Twitter
Hands-on with Twitter Lists
Add a Comment (Log in or register) (3 Comments)
  • prev
  • 1
  • next
by mexic0 February 12, 2009 12:07 PM PST
So does this work only if you are logged onto your twitter webpage?
Reply to this comment
by ppratik96 February 12, 2009 12:49 PM PST
Well yeah but you probably have to logged in to see the the tweet anyway so when you click on the link you will be logged on.
by Ignoranceisslavery February 13, 2009 9:06 PM PST
IM SO HAPPY. Twitter IS Lame and I hope it crashes and burns. Seeing the article on my Feed Actually made me smile. THANK YOU PRANKSTER.
Reply to this comment
(3 Comments)
  • prev
  • 1
  • next
advertisement

The 411 on early-termination fees

Verizon Wireless has doubled its early-termination fees for smartphones, but what does it mean for the rest of the industry?

Google has its own plan for Netbooks

No, the search giant isn't saying it will build a Netbook. But it sure knows what it would like one running Chrome OS to resemble, and that's a little different from the Netbook of today.
• Screenshot tour of Chrome OS

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET