See your link here
Twitter reels from Mikeyy's XSS 'sploits
2 comments- TAGS:cross-site scripting, Mikeyy, StalkDaily, Twitter, worm, XSS
- IT TOPICS:Cybercrime & Hacking, E-Business & Web 2.0, Emerging Technology, Internet, Mobile & Wireless, SaaS & Cloud Computing
In Monday's IT Blogwatch, Richi Jennings watches Michael Mooney exploit cross-site scripting vulnerabilities in Twitter. Not to mention LOL-Cat Face...
Gregg Keizer follows the story: [You're fired -Ed.]
Twitter was hit with at least three different worm attacks that started Saturday and continued into Sunday, the micro-blogging service acknowledged as it promised users it would review its coding practices.
Michael "Mikeyy" Mooney, the 17-year-old creator of the StalkDaily Twitter-copycat site, has admitted creating the worms ... [which] exploited a cross-site scripting vulnerability in the Twitter service to infect user profiles ... relied on tweets that referred to several malicious accounts allegedly created by Mooney; when users viewed those accounts' profiles, their own profiles became infected, and their accounts then sent more spam-style messages to entice friends to the just-infected profiles.
Peter Smith adds detail:
Merely hitting an infected profile page was enough to infect you as well. It appears "all" the worm did is to commandeer your Twitter account and use it [to] spam Tweets ... Using a 3rd party client protected you from the whole mess.
...
In any event, Twitter has plugged the security hole that allowed the problem in the first place, so the world of Twitter is once again safe from the forces of evil. At least until the next exploit is discovered.
Damon Cortesi performs the postmortem:
Somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile.
...
This was a nasty little script ... This is also one of the reasons that I browse the web with NoScript.
Douglas Haider notes the social engineering:
What's particularly dangerous is that this worm generated tweets which tricked other users to click onto its links, because they come from what seem to be reliable sources such as friends and family members.In this case, the messages were fairly innocuous and were used to drive traffic ... However, what if the URL was linked to MORE malicious code?
Twitter's Biz Stone puts a brave face on it all:
No passwords, phone numbers, or other sensitive information was compromised as part of these attacks ... was similar to the famous Samy worm which spread across the popular MySpace social-networking site a while back.
...
We are still reviewing all the details, cleaning up, and we remain on alert. Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future. We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.
Thomas H. "@tqbf" Ptacek quips:
Worm author: you lose 1,000 style points for not fitting your [JavaScript] into 140 characters.
And finally...
Previously in IT Blogwatch:
- Conficker botnet wakes up and smells the coffee
- Hostile hackers threaten power grid
- Windows 7 candidate leaks?
- ...more
Buffer overflow:
Like this stuff? Subscribe to the RSS feed.
Richi Jennings is an independent analyst/adviser/consultant, specializing in blogging, email, and spam. A 23 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him on Twitter, pretend to be Richi's friend on Facebook, or just use boring old email: blogwatch@richi.co.uk.
Print
Email this
Digg this
