Last night, Twitter was in a state in panic over a ‘worm’ that had exploited the site. Unlike previous bugs which required you click a link of some sort, users could be affected by simply visiting someone else’s profile.
The ‘worm’, stemmed from an apparently twitter-like called StalkDaily, infecting Twitter profiles and status updates directing people to StalkDaily. Throughout the entire event, the StalkDaily site maintained no involvement – today, we learn that was clearly a lie.
The idiot comes clean.
The 17 year old, Brooklyn based owner of StalkDaily, has admitted responsibility for the Twitter worm. In an email to BNO News, the site behind twitter account BreakingNewsOn, Mooney said:
“I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.”
Whilst developing the site he learnt more and more about how Twitter worked, using that knowledge to exploit the service and direct people to his own site.
According to social media blog Mashable (who covered the story wonderfully), Mooney was able to exploit the site by apparently making use of Twitter’s bio section. Inserting a script, creating multiple alternate Twitter profiles and having people visit those specific profiles would spread the worm fast across the network.
Twitter takes action
Twitter did eventually announce they had ‘closed the hole’ to stop the the spread of the various links and status updates. They made clear no passwords, phone numbers, or other sensitive information were compromised as part of this attack. No apparent apology however.