Twitter worm still on the loose?

I love Twitter as much as the next person.  However, a worm infected Twitter Saturday highlighting security concerns of using the popular micro-blogging site.  The Twitter worm sent automatically generated tweets urging users to visit the site (do not visit the site).  Messages looked like this:


Later in the day, the Twitter worm sent out additional, morphed messages of the same nature.

Users can get infected by simply viewing a corrupt profile.  They do not need to click on a URL or take any other action.  The worm exploited a cross site scripting (XSS) vulnerability that changes the hyperlink on the infected profile and then uses JavaScript to propagate itself as well as send out tweets like the ones shown above.  

At approximately 9PM PST on Saturday night, Twitter posted an update on its status page saying they closed the hole that allowed this worm to spread.   However, users should be aware of the potential for modified Twitter worms, especially as more technical details and the source code of this outbreak come to light. 

BNONews and others are reporting that the 17 year old founder of StalkDaily, who goes by the handle "Mikeyy", has admitted responsibility for the worm.   The StalkDaily website confirms these reports.

(Just as I was posting this Sunday morning, reports are coming in that a second variant of the worm is sending multiple messages containing "mikeyy", suggesting that the vulnerability has not been fully patched). 

What's particularly dangerous is that this worm generated tweets which tricked other users to click onto its links, because they come from what seem to be reliable sources such as friends and family members.  In this case, the messages were fairly innocuous and were used to drive traffic to the StalkDaily website.  However, what if the URL was linked to MORE malicious code?   Additionally, a URL shortening service, (such as TinyURL) could be used to mask the link's destination.

Based on this weekend's Twitter worm outbreak, here are my security recommendations: 

  • For the immediate future, use a third-party Twitter tool (such as TweetDeck) - these are not susceptible to this particular vulnerability.
  • Use a tool such as NoScript for your web browsing. It this case, it would have prevented JavaScript running from an un-trusted domain.
  • If your Twitter profile links to StalkDaily, it has been infected. In that case, you need to clear your cache and empty all cookies in your web browser. Also change your Twitter password.
  • While the Twitter update says that no passwords, phone numbers, or other sensitive information was compromised, consider changing your password anyway. Using long passphrases and rotating them frequently are the basic tenants of good password management.

One of the many reasons Twitter is popular is its interoperability with cell phone and SMS messaging.  This weekend's Twitter worm made me think that widespread cell phone malware will be a part of the near future.  What do you think?

Douglas J. Haider is a Principal Technologist with Xirrus.  He hosts a personal blog at, and micro-blogs on Twitter @wifijedi (which was not infected by the Twitter worm at the time of this writing...)

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon