Almost 24 hours after the first cross-site scripting (XSS) attack on Twitter, that resulted in thousands of tweets linking to StalkDaily, they are under attack again. This new threat comes only hours after Twitter announced that they had closed a security vulnerability that had allowed the so-called, "StalkDaily Worm" to spread through a JavaScript injection on user profiles.
A little while after the first exploit was patched, an interview with Mikeyy Mooney stated that the 17-year-old owner of the StalkDaily site was responsible. The StalkDaily site was then updated to show the following message:
I have came clean and have accepted the responsibility for the worm, read the interview here, http://www.bnonews.com/news/242.html.
Twitter thought it had sorted the issue and so they went to bed – well that's what it seemed, as it took them ages to notice the next wave. However, that wasn't it and as soon as Mikeyy got his newest script hosted, he activated wave 2, utilising an even bigger hole in the system. It enabled him to spam messages, as before, follow the user @onedegrees – who has now been suspended – change your name, your URL and your Twitter design's link colour.
This time, tweets were being sent out with the word Mikeyy in them and they included warnings to Twitter to fix the issue, such as:
Dude, Mikeyy is the shit! :)
Man, Twitter can't fix shit. Mikeyy owns. :)
Mikeyy. Woooo!
Wow…Mikeyy.
Dude! Mikeyy! Seriously? Haha. ;)
Twitter should really fix this… Mikeyy
Twitter please fix this, regards Mikeyy
damn mikeyy. haha.
Mikeyy is done..
Mikeyy I am done…
All you had to do was visit an infected user page and you too would become infected. It uses a simple XSS injection that, when executed, infects your own user page and spams your timeline with the above messages. Many people thought it was a virus that they had downloaded or that someone had logged into their account. This is not true, in fact, the script itself is completely harmless and does not compromise your Twitter password. It simply uses your web browser's cookies and JavaScript to tweet one of the random messages. No-one has actually logged into your account.
Once you had visited an infected user page, your name would be changed to "Mikeyy Owns", you would automatically follow @onedegrees, your link colour will have changed to a fluorescent blue and your URL changed to one of the many obfuscated JavaScript injections. This meant that every time someone else visited your page, they too would become infected. Truthfully, it was an extremely effective worm; it spread like wildfire.
Clearly, Twitter had a major problem on their hands. However, the biggest problem is the viral nature of social networking itself. The code sent out tweets under your name, but instead of users just ignoring it, they hit the panic button and re-tweeted anything they saw, which just compounded the problem. Twitter is aware of the problem and is apparently working on it. Any re-tweets are just adding to this guys notoriety and ensuring his name won't be forgotten in a hurry.
I saw a lot of tweets claiming you needed to change your password. This made the matter worse and gave people something more to panic about. Changing your password stops the script from running because the cookie made by Twitter gets destroyed (changing passwords means you would have to log out and back in, which resets your session). The session is what the script relies on to post the tweets. So even after changing your password, if you visited an infected user page, your account could still be reinfected. If your profile was infected, all you had to do was delete any tweets on your account that were not written by you and check all of your settings fields – most importantly name and URL. The coder never actually got to see any passwords, e-mails or names.
Twitter claim to have fixed the loopholes. Their blog post regarding the attacks gives us the low-down on what they did, are doing and going to do. According to that post, there were actually 3 waves of attacks, that began yesterday. The first and second waves compromised roughly 100 accounts each, while the third wave today, mangaged to rack up nearly 10,000 tweets. However, this whole experience is not over yet and there will likely be variations of this worm released over the next few days, so just be careful what you click.
Bull3t's Blog is a next generation web log written by me, Philip Hughes (also known as Bull3t), a first-year college student living in England, aged 17. I write this blog for the sake of doing so, posting about anything I see fit. 
So what now?
You've reached the end of this post. Seeing as you made it this far means you might be interested in the following related articles and resources.20 Comments
April 13th, 2009
#1
I hope the twitter.com learns a valuable lesson here and take steps in being more vigilant with these threats. I'm confident this will happen again. There are a lot of very smart coders out there with lots of time on there hands.
If people get nervous about the safety of their information they will drop twitter like a hot potato.
April 15th, 2009
#2
I didn't know it was even possible to get infected through twitter. As much of a douchebag as the guy who created it must be, I gotta give him props. Though I doubt twitter will let something like this happen again.
April 16th, 2009
#3
that 17 y.old boy really pwned twitter.
wonder why the twitter bird didnt eat the worm?
haha
April 21st, 2009
#4
Even such huge fancy services have a little holes in their security, and can be attacked so easy…
April 23rd, 2009
#5
I hope the twitter.com learns a valuable lesson here and take steps in being more vigilant with these threats because it got me and i dont notice until someone tweet me and tell em to delete some of my tweets
April 26th, 2009
#6
You see, it's morons like this that gives the Internet a bad reputation and constantly shows the flaws of humanity of screwing other people over at our own satisfaction.
Really makes me sick some of these people that have no life and nothing better to do than do this garbage!
Regards,
Daniel
May 12th, 2009
#7
I guess any open system would be prone to such attacks. Earlier this kind of systems only interfaced with internal and trusted programs but Web2.0 requires such APIs to be open. Twitter has now gone mainstream with oprah and ashton moments, they better make sure such things don't happen again. It's good they introduced OAuth, earlier I wanted to check the new services around twitter but didn't want to give away my login and password.
May 21st, 2009
#8
I'm glad I don't have a twitter account but it was just a matter of time until twitter got a major problem. Owned
May 29th, 2009
#9
It was extremely surprising for me that a huge site like this would be so easy to infect. And at the same time they don't even offer that many features yet the guy was still able to explit them.
June 6th, 2009
#10
I was surprised too, as I heard about it. But things happen. Even on major sites like twitter. Just hope they have learned these lesson now.
June 22nd, 2009
#11
What had happened, I am sure, will make twitter more robust. It's just months since I have joined twitter and recently enjoying twittering @jamiewelsh and so I would really appreciate twitter if they remain flexible.
June 26th, 2009
#12
Even the most popular sites are at risk. People always find ways around security. People are getting smarter
July 24th, 2009
#13
The bigger site – the eisier way to get infected by some bot or virus. I don't use Twitter anyway – I just don'tlike it. But for those who are using the site this is some useful information. Thanks for the post.
July 25th, 2009
#14
problems like this one will stay as long as we've got the internet. some people will always try to get a way arround security. so we have to learn and secure better. just like twitter.
August 7th, 2009
#15
These large sites are targets. Especially the ones that attact all sorts. Security is difficult to manage when you are that big.
August 7th, 2009
#16
I’ve been emailing with Giorgio Maone, developer of NoScript. He’s written up a short summary of the situation here, Mikeyy’s StalkDaily Twitter Worm vs NoScript: http://hackademix.net/2009/04/13/mikeyys-stalkdaily-twitter-worm-vs-noscript/
He claims shutting down this exploit should be a 1-minute fix on Twitter’s part. I’ve said it before, but what in the world is Twitter doing with their $55 million in fundage? Surely they can do better than constant fail whales and gaping security holes.
November 13th, 2009
#17
Lets face it no matter how much security they use the website has to be hosted and accessible on the internet, so for sure it will get hacked sometimes.
There is no real solution – if they can hack NASA they sure as hell can hack Twitter.
January 19th, 2010
#18
yeah… but it is really weird that of all the site, they choose twitter. what would they get in hacking twitter anyway? duh…
January 20th, 2010
#19
Even the most secure site has security exploits. Just try your best to avoid them :).
January 21st, 2010
#20
how does hackers get money? :) i mean, what's the use if they hacked a certain site like twitter? what does they want? information? everyone must be aware, we might be the next victim.
Leave a reply