Apr 13 2009

Is Mickeyy trying to get arrested?

Published by at 7:32 am under Hacking,Malware,Social Networking

I really have to wonder if Michael Mooney is trying to get arrested; after creating three Twitter XSS worms over the weekend, the 17 year old author responded to an editor at Net News Daily and told the editor that he wasn’t worried and that he knows this stunt could land him in jail.  Like many grey and black hat hackers, he blames Twitter for leaving open the vulnerability, rather than taking any of the responsibility for notifying Twitter of the issue.

This Twitter XSS attack by Mikeyy caused quite a stir over the weekend, infecting thousands of users and creating tweets to point them back to his StalkerDaily site.  The accounts that started this have been shut down and work is in progress to clean up the issues, but it may be a few more days before we know for certain that everything is safe again.  There doesn’t appear to be any theft of personal information or account passwords involved in the worm, it was simply a publicity stunt to garner traffic for StalkerDaily, at least accoding to F-Secure and Twitter.

Don’t be at all surprised if this is only the first wave of Twitter worms.  Even if Twitter has already patched this vulnerability, it’s a big application with a lot of people banging against it trying to find the next set of vulnerabilties.  They’ll be found, sooner or later, it’s just a fact of life.  If you’re not already using Firefox and NoScript, now is a good time to start, at least when checking out people’s profiles.

Mikeyy is not an adult, he didn’t do anything that destructive, but his actions may be technically illegal, even if Twitter doesn’t want to prosocute directly.  His arrogance in claiming the worm and showing no signs of being even slightly apologetic for releasing it on Twitter don’t bode well for his future and the authorities need to have a long talk with him about it if nothing else.  I’ve long been a believer in responsible disclosure and this sort of behaviour is about as far from responsible disclosure as you can get. 

The thing we need to learn the most from this is that any web application is vulnerable.  Mickeey didn’t do much damage, all things considered, and he probably won’t get in too much trouble just because of that.   The next person who discovers a vulnerability in Twitter might not be quite so nice however.

Update:  Here’s some steps you can take to protect yourself – Twitter worm attack continues:  Here’s how to keep safe
Technorati Tags: , ,

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

9 responses so far

9 Responses to “Is Mickeyy trying to get arrested?”

  1. kurt wismeron 13 Apr 2009 at 9:39 am

    first wave of twitter worms? what about that ‘dont click’ one from a couple months ago?

  2. Joe Franscellaon 13 Apr 2009 at 10:36 am

    What kind of punishment would they hand out to a 17-year-old? Seems like the juvenile courts need to make an example of him or thousands – maybe millions – of kids like him might follow his selected path to stardom.

  3. Martinon 13 Apr 2009 at 10:46 am

    Kurt, I’d forgotten the ‘dont click’ event, but it didn’t have nearly the impact that this event had had. I guess I should probably change it to read “one of the first waves” instead


  4. Martinon 13 Apr 2009 at 11:44 am

    Joe, I can’t quite tell if you’re being sarcastic or not. I don’t care if they use this incident to make an example of him to others, but Mickeyy needs to understand this is no way to get into the security and pen testing field. Yeah, it has happened before and he might even get lucky. But it’s more likely that he’ll be ostracized than be offered a job. And it’s pretty certain twitter wouldn’t offer him a job.

    I don’t know for certain that’s why he did it, that’s just one theory I saw cross twitter today. In any case, he needs to have it explained that this isn’t a good route to continue down if he wants to stay out of jail.


  5. kurt wismeron 13 Apr 2009 at 11:56 am

    i think this one had more effect because *someone* keeps relaunching it and because twitter addressed the launch but not the vulnerability it used (which means *someone* can KEEP relaunching it until they do)…

  6. […] Is Mickeyy trying to get arrested? – Network Security Blog […]

  7. Joe Franscellaon 17 Apr 2009 at 10:37 am

    @Martin – No sarcasm intended. Law enforcement needs to do all it can to raise risk as high as possible for guys like this kid. I used to cover the juvenile crime beat when I was a reporter, no punishment typically means no incentive to stop.

  8. Martinon 17 Apr 2009 at 11:07 am

    The truly annoying part is that his ploy was successful.



  9. kurt wismeron 17 Apr 2009 at 12:41 pm

    i’m surprised you’re not more annoyed that after a full week someone is *still* able to relaunch this attack (there’s another variant going around, apparently).

    as much as i agree that mikeyy shouldn’t have done what he did and shouldn’t have gotten a job out of it, twitter is getting spanked security-wise.

%d bloggers like this: