Apr 13 2009
I really have to wonder if Michael Mooney is trying to get arrested; after creating three Twitter XSS worms over the weekend, the 17 year old author responded to an editor at Net News Daily and told the editor that he wasn’t worried and that he knows this stunt could land him in jail. Like many grey and black hat hackers, he blames Twitter for leaving open the vulnerability, rather than taking any of the responsibility for notifying Twitter of the issue.
This Twitter XSS attack by Mikeyy caused quite a stir over the weekend, infecting thousands of users and creating tweets to point them back to his StalkerDaily site. The accounts that started this have been shut down and work is in progress to clean up the issues, but it may be a few more days before we know for certain that everything is safe again. There doesn’t appear to be any theft of personal information or account passwords involved in the worm, it was simply a publicity stunt to garner traffic for StalkerDaily, at least accoding to F-Secure and Twitter.
Don’t be at all surprised if this is only the first wave of Twitter worms. Even if Twitter has already patched this vulnerability, it’s a big application with a lot of people banging against it trying to find the next set of vulnerabilties. They’ll be found, sooner or later, it’s just a fact of life. If you’re not already using Firefox and NoScript, now is a good time to start, at least when checking out people’s profiles.
Mikeyy is not an adult, he didn’t do anything that destructive, but his actions may be technically illegal, even if Twitter doesn’t want to prosocute directly. His arrogance in claiming the worm and showing no signs of being even slightly apologetic for releasing it on Twitter don’t bode well for his future and the authorities need to have a long talk with him about it if nothing else. I’ve long been a believer in responsible disclosure and this sort of behaviour is about as far from responsible disclosure as you can get.
The thing we need to learn the most from this is that any web application is vulnerable. Mickeey didn’t do much damage, all things considered, and he probably won’t get in too much trouble just because of that. The next person who discovers a vulnerability in Twitter might not be quite so nice however.
Update: Here’s some steps you can take to protect yourself – Twitter worm attack continues: Here’s how to keep safe
Technorati Tags: Twitter, XSS, StalkDaily