Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Twitter worm underscores social-networking vulnerabilities

Twitter was struck by a particularly nasty cross-site scripting worm over the weekend, again bringing to light the threat of client-side attacks across social networking sites.

Four variants of the worm hit Twitter, bringing back memories of the infamous -- and groundbreaking -- Samy worm that snaked through MySpace several years ago.

The Twitter worm spread links to a supposed Twitter copycat site called StalkDaily[dot]com by exploiting a cross-site scripting (XSS) vulnerability and infecting an unknown number of Twitter profiles. Each wave of the worm attacks was more intense than its predecessor, according to a post on the official Twitter blog.

“We secured the accounts that had been compromised and removed any content that might help spread the worm,” Twitter co-founder Biz Stone wrote on the blog. “All told, we identified and deleted almost 10,000 'tweets' [messages] that could have continued to spread the worm.”

The worm's activity seems to have been contained, but there is little guarantee that no threats remain, experts said.

“This may be an open-ended problem," Andy Hayter, Anti-Malcode program manager at security solutions tester ICSA Labs, told SCMagazineUS.com on Monday. "I don't think we've seen the end of it."

But overall, the damage so far has been minimal, Stone said in his blog post. No personal information was compromised.

"All the attacks are JavaScript-based, so turn off JavaScript in your browser if you are worried," Hayter said.

Richard Wang, manager of Sophos Labs U.S., recommended Twitter users avoid clicking on untrusted links. He also told SCMagazineUS.com that Twitter can modify its platform so it cannot support malicious code such as this.

Stone wrote: “We are still reviewing all the details, cleaning up, and we remain on alert.”

According to published reports, a 17-year-old Brooklyn, N.Y. boy has taken responsibility for the attack. Michael "Mikeyy" Mooney said he devised the malware out of boredom and to prove how vulnerable Twitter is.

Stone likened the attack to one perpetrated by Samy Kamkar, who, in 2005 when he was 19, unleashed a similar self-replicating, XSS worm across MySpace that was believed to be the first of its kind. The worm was benign but enabled Kamkar to attain more than one million "friends" in 24 hours. He later was sentenced to three years probation and ordered to serve 90 days of community service.

 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.