Weekend worms strike Twitter, teen admits responsibility
Twitter cross-site scripting bugs exploited; 17-year-old owns up to attacks
Computerworld - Twitter Inc. acknowledged that it was hit with at least three different worm attacks that started Saturday and continued into Sunday, and it promised users that it would review its coding practices.
Michael "Mikeyy" Mooney, the 17-year-old creator of StalkDaily, a Twitter copycat site, has admitted creating the worms that attached Twitter's microblogging site.
"At about 2 a.m. on Saturday, four accounts were created that began spreading a worm on Twitter," company co-founder Biz Stone announced in a blog entry Sunday. "From 7:30 a.m. until 11 a.m. [Pacific time], our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts."
That worm, which was widely reported on Saturday and dubbed "StalkDaily," exploited a cross-site scripting vulnerability in the Twitter service to infect user profiles. The original attack relied on tweets that referred to several malicious accounts allegedly created by Mooney; when users viewed those accounts' profiles, their own profiles became infected, and their accounts then sent more spam-style messages to entice friends to the just-infected profiles.
Those messages promoted the StalkDaily site with tweets such as "I love www.StalkDaily.com" and "Dude, www.StalkDaily.com is awesome. What's the fuss?"
The second attack, which Twitter said affected about 100 different accounts, occurred later Saturday, and the third began Sunday. All three were exploiting cross-site scripting bugs in the service.
"All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm," Stone said in his blog post.
Sunday's worm -- which was pegged as "Mikeyy" because the tweets it forced infected accounts to send included "Mikeyy I am done..." and "Man, Twitter can't fix sh*t. Mikeyy owns" -- was also set loose by Mooney, according to an interview conducted with him earlier today by Net News Daily.
When asked why he created the StalkDaily worm, Mooney said, "Out of boredom. It was the middle of the night and I had nothing else better to do."
Also in the interview, Mooney both dismissed his actions and said he knew the attacks could land him in trouble. "I feel pretty bad about it, but it's not me that left the vulnerability out in the open," he said, then later added, "I'm not worried, though. I know that it could land me in jail."
On the StalkDaily Web site, Mooney posted a short message that read: "I have came clean and have accepted the responsibility for the worm."
Twitter was not available for comment Sunday to answer questions about whether it had, or would, contact law enforcement officials.
One security company warned that the attacks might not be over. "There's going to be quite a few modified Twitter worms for a day or two," predicted Mikko Hypponen, chief research officer at F-Secure Corp., on his company's Web site. "Be careful in Twitter, don't view profiles, don't follow links."
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts