Twitter Vulnerability: Mutating Fast and More on the Way
Just hours after Twitter began removing the first cross-site scripting vulnerability that hit its site this weekend, a new modified strain has been found, and according to F-Secure, it's not the last one we're likely to see over the next few days.
"This is not over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links. It's beautiful outside, maybe go for a walk instead?" Mikko said on the F-Secure blog earlier today.
According to Breaking News, Mikeyy Mooney, the 17 year-old owner of StalkDaily.com, has reportedly admitted responsibility for yesterday's attack.
"I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website."
We wrote about StalkDaily yesterday, and last night Twitter pointed out on its status blog that it has "taken steps to remove the offending updates and to close the holes that allowed this 'worm' to spread." The offending code can be found at GitHub as noted by Mr Speaker who left a message in our comments, and a postmortem of yesterday's vulnerability can be found on the DCortesi blog.
Clearly Mikeyy is still bored as the new version is now making its way across the Twitterverse, tweeting comments such as: "Man, Twitter can't fix shit. Mikeyy owns :)"
So if you see a tweet with the word Mikeyy - don't click on it.
F-Secure is reporting that all of these attacks are Javascript based and suggests turning it off. You can find instructions on how to turn off JavaScript in the four main browsers; Firefox, Internet Explorer, Safari and Opera at Tucows.
If you need to remove Mikeyy, Twittercism walks you through in six easy steps.
We'll keep you updated as the day progresses.
Share
Facebook
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
All user-provided content must be sanitized before being stored (and/or redisplayed) to deter cross-site scripting attacks.
In this case there have been two forms of XSS; via <script> in profile URLs, and within the limited amount of custom CSS (link and background colors) a user can provide for their profile page.
This form of XSS is very similar to the "Samy is my friend" MySpace worm from several years back.
For Firefox users, the "NoScript" extension helps to deter XSS.
Thank You..
I think it is inevitable when you start to gain traction
Err, are you sure this is correct? Can't they just htmlspecialchar() all input (or output..) - Don't see any way anyone would be able to sneak past that.. mutations or not.
I thing this attack is welcome to Twitter because in this way will enhance the safety measures.
I might be misinformed, but these types of attacks illegal? If this specific situation is not illegal, what's the loop hole?
Hehe, there will be more to come?
I need to update my AV fast then
Twitter just sucks my balls so hard
Thank you~~ Welcome to participate in the discussionwww.customs-data.com.cn/tradeinformation/topease.htm
We'll keep you updated as the day progresses.
FAIL worm cartoon :) http://mindcream.com/failworm/
"This is not over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links. It's beautiful outside, maybe go for a walk instead?" Mikko said on the F-Secure blog earlier today.
It is actually a great advice even if Twitter is worm-free. Why would people want to follow others online, while they can do it in real life, they only need to be a little more careful ;)
Twitter accounts of celebrities are being hacked these days.