The Twitter “Don’t Click” clickjacking stampede

Graham Cluley
Graham Cluley
@

 @grahamcluley.com
 @[email protected]

The Twitter "Don't Click" clickjacking stampede

Yesterday, many Twitter users were swamped with messages saying “Don’t Click”, pointing to what appeared to be a web link.

Naturally, humans being what they are, the “Don’t Click” got clicked on. A lot.

Bzzt. That wasn’t a good idea, because when they they did a Tweet was sent from their own account with the same “Don’t Click” message and link.

The tweetosphere was soon awash with “Don’t click” messages, followed by people panicking that they hadn’t knowingly sent the message.

Dont click

Undoubtedly many people clicked on the link because they believed it had been knowingly posted by their friends on Twitter – a healthy reminder for people to be more cautious of how they behave on social networks.

Sign up to our free newsletter.
Security news, advice, and tips.

Not everyone who clicked fell foul, of course. For instance, users of the Firefox web browser who were sensible enough to have installed the NoScript plug-in had the clickjacking attempt intercepted:

Dont Click clickjacking attempt blocked by NoScript

(NoScript image source: Andrew Mason’s Flickr photostream).

Fortunately, on this occasion, the clickjacking was more of an irritating nuisance than malicious and Twitter updated their systems to prevent the attack from spreading further. Twitter co-founder Biz Stone blogged about the issue, providing more information to users:

Twitter clickjacking

As Twitter continues to grow in popularity we’re likely to see more attempts to abuse the system, some of which – in the future – are bound to be more malicious than mischievous.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.