Twitter worm underscores social-networking vulnerabilities

Share this article:

Twitter was struck by a particularly nasty cross-site scripting worm over the weekend, again bringing to light the threat of client-side attacks across social networking sites.

Four variants of the worm hit Twitter, bringing back memories of the infamous -- and groundbreaking -- Samy worm that snaked through MySpace several years ago.

The Twitter worm spread links to a supposed Twitter copycat site called StalkDaily[dot]com by exploiting a cross-site scripting (XSS) vulnerability and infecting an unknown number of Twitter profiles. Each wave of the worm attacks was more intense than its predecessor, according to a post on the official Twitter blog.

“We secured the accounts that had been compromised and removed any content that might help spread the worm,” Twitter co-founder Biz Stone wrote on the blog. “All told, we identified and deleted almost 10,000 'tweets' [messages] that could have continued to spread the worm.”

The worm's activity seems to have been contained, but there is little guarantee that no threats remain, experts said.

“This may be an open-ended problem," Andy Hayter, Anti-Malcode program manager at security solutions tester ICSA Labs, told SCMagazineUS.com on Monday. "I don't think we've seen the end of it."

But overall, the damage so far has been minimal, Stone said in his blog post. No personal information was compromised.

"All the attacks are JavaScript-based, so turn off JavaScript in your browser if you are worried," Hayter said.

Richard Wang, manager of Sophos Labs U.S., recommended Twitter users avoid clicking on untrusted links. He also told SCMagazineUS.com that Twitter can modify its platform so it cannot support malicious code such as this.

Stone wrote: “We are still reviewing all the details, cleaning up, and we remain on alert.”

According to published reports, a 17-year-old Brooklyn, N.Y. boy has taken responsibility for the attack. Michael "Mikeyy" Mooney said he devised the malware out of boredom and to prove how vulnerable Twitter is.

Stone likened the attack to one perpetrated by Samy Kamkar, who, in 2005 when he was 19, unleashed a similar self-replicating, XSS worm across MySpace that was believed to be the first of its kind. The worm was benign but enabled Kamkar to attain more than one million "friends" in 24 hours. He later was sentenced to three years probation and ordered to serve 90 days of community service.

 

Share this article:
close

Next Article in News

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.