Twitter hit with 'Don't Click' clickjacking attack

Microblogging site puts an end to a prank that had Twitter users inadvertently sending tweets that say "Don't Click" followed by a link.

Elinor Mills Former Staff Writer

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.

See full bio

Elinor Mills

Feb. 12, 2009 11:40 a.m. PT

This graph shows how quickly the "Don't Click" tweets spread across Twitter. Sunlight Labs

Twitter stopped a clickjacking attack on Thursday that quickly spread because it took advantage of social engineering and peoples' natural curiosity.

Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.

"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 a.m. PST.

The clickjacking appeared to be harmless and just propagated itself, according to a post on the Sunlight Labs blog.

The code "creates an iframe of the page, hides it, and when you click that button and you're logged into Twitter, it makes you post that message (even though you don't see it). There's not a bit of JavaScript involved. The only JavaScript on the page is their Google Analytics code," the Sunlight Labs post says.