Twitter Gets Slammed By the StalkDaily XSS Worm

CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."

Re:Bit obvious

[timholman]

Cool exploit, but worm-spamming your own public site is a bit, um, not well thought out.

Especially when you read the Terms of Service on Mr. Mooney's own StalkDaily website, e.g.:

7. You must not modify, adapt or hack StalkDaily.com or modify another website so as to falsely imply that it is associated with StalkDaily.com.

8 You must not create or submit unwanted email to any StalkDaily members ("Spam").

9. You must not transmit any worms or viruses or any code of a destructive nature.

Talk about having a "Do as I say, not as I do" morality. At least it's refreshing to see that hypocrisy is not restricted to people over 30.