Slashdot Mirror


Twitter Gets Slammed By the StalkDaily XSS Worm

CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."

5 of 145 comments (clear)

  1. Would you trust StalkDaily? by Joao · · Score: 4, Insightful

    Seriously, would you? The developer admits to infecting people's computers and accounts in order to advertise his services, and doesn't think he did anything wrong. How can anyone trust his services then?

    For starters he should be forced to take down StalkDaily. I'm sure Tweeter lawyers are looking into this right now. And for once, I agree with such a move. /not a tweeter user

    1. Re:Would you trust StalkDaily? by Anonymous Coward · · Score: 4, Insightful

      Two issues with your post:
      One, the dev did not infect anyone's computers. He wrote a small program, on the site, that would update the profile of anybody who saw one of the spam comments. For example, you visit a friend's page who has one of these comments (and therefore the code) and your profile is updated with a comment (and the code). The only "infection" was on the site, not the end users. Also, no accounts were hacked. Simply a case of instructing the visitor's browser to slyly update the visitor's status while looking at a different page. TFA states that there were no passwords, usernames, or anything else in the code.
      Two, it's twitter.

  2. Re:author found. Now what? by oldhack · · Score: 5, Insightful

    Buy that man a beer. :-)

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
  3. Re:To hire or to jail, that is the question by SuperNothing307 · · Score: 5, Insightful

    No offense, but having a good understanding of XSS attacks at 17 doesn't exactly equate to the mathematical and analytical abilities of Edward Dijkstra. I know I don't put myself anywhere near that level. In fact, I'd argue that the chances are well in favor of him doing something like this again, except worse, rather than his becoming someone who does something beneficial for the world. I mean, look at all the attention he has gotten for this. Imagine what would happen if he does something worse! Punish him now, make him understand the gravity of his actions.

  4. Re:To hire or to jail, that is the question by rs79 · · Score: 5, Insightful

    I say anything that slows down the spread of those fucking annoying twitter people is a good thing and he should be awarded a medal.

    Tweet this, bitch.

    --
    Need Mercedes parts ?