Last night, Twitter was in a state in panic over a ‘worm’ that had exploited the site. Unlike previous bugs which required you click a link of some sort, users could be affected by simply visiting someone else’s profile.
The ‘worm’, stemmed from an apparently twitter-like called StalkDaily, infecting Twitter profiles and status updates directing people to StalkDaily. Throughout the entire event, the StalkDaily site maintained no involvement – today, we learn that was clearly a lie.
The idiot comes clean.
The 17 year old, Brooklyn based owner of StalkDaily, has admitted responsibility for the Twitter worm. In an email to BNO News, the site behind twitter account BreakingNewsOn, Mooney said:
“I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.”
Whilst developing the site he learnt more and more about how Twitter worked, using that knowledge to exploit the service and direct people to his own site.
According to social media blog Mashable (who covered the story wonderfully), Mooney was able to exploit the site by apparently making use of Twitter’s bio section. Inserting a script, creating multiple alternate Twitter profiles and having people visit those specific profiles would spread the worm fast across the network.
Twitter takes action
Twitter did eventually announce they had ‘closed the hole’ to stop the the spread of the various links and status updates. They made clear no passwords, phone numbers, or other sensitive information were compromised as part of this attack. No apparent apology however.
Actually, since Twitter said the problem was solved, the worm has launched another attack, tweeting spammy messages from infected users’ accounts.
See here for some info on the little brat, and some ideas for how to get his sites taken offline:
http://letstakeover.blogspot.com/2009/04/fight-back-against-stalkdaily-and-its.html
What do you expect, he’s from Brooklyn.
“dick” or not, this guy has taught Twitter a lesson & should have taught it’s users a lesson too.
We should be thankful that this exploit wasn’t more malicious & damaging. Hopefully it’s highlighted, to the less technical users, that once again we can’t put absolute faith in a service & should be better protected when online.
As a user of Firefox, with noscript installed, this XSS was never going to be a threat to me but the same probably can’t be said of the many users of ‘the worlds most popular browser’.
Hopefully the guys at Twitter will have woken up a bit as well because next time the attack might not be so trivial.
Ultimately I agree, the guy is not the brightest tool in the toolbox but better it was him than a criminal gang.
Virus infections in Twitter give employers and schools security as another reason to block Twitter. –Ben