Slashdot Mirror

← Back to Stories (view on slashdot.org)

Twitter Gets Slammed By the StalkDaily XSS Worm

Posted by Soulskill on from the tweety-bird-gets-the-worm dept.

CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."

35 of 145 comments (clear)

  1. To hire or to jail, that is the question by BadAnalogyGuy · · Score: 5, Funny

    A 17 year old is old enough to understand the ramifications of his actions to a reasonable extent. He no doubt understood that releasing a worm like that would be met with an unfavorable reaction. But he did it anyway. In this sense, he is a potential menace to the Internet.

    However, he is still in his formative years. His abilities could be nurtured in productive directions and we could have the next Edward Dijkstra in the making.

    So do we punish him and turn him to the Dark Side? Or do we show him love and respect and turn him? There is still good in him. I can feel it.

    1. Re:To hire or to jail, that is the question by SuperNothing307 · · Score: 5, Insightful

      No offense, but having a good understanding of XSS attacks at 17 doesn't exactly equate to the mathematical and analytical abilities of Edward Dijkstra. I know I don't put myself anywhere near that level. In fact, I'd argue that the chances are well in favor of him doing something like this again, except worse, rather than his becoming someone who does something beneficial for the world. I mean, look at all the attention he has gotten for this. Imagine what would happen if he does something worse! Punish him now, make him understand the gravity of his actions.

    2. Re:To hire or to jail, that is the question by rs79 · · Score: 5, Insightful

      I say anything that slows down the spread of those fucking annoying twitter people is a good thing and he should be awarded a medal.

      Tweet this, bitch.

      --
      Need Mercedes parts ?
    3. Re:To hire or to jail, that is the question by moderatorrater · · Score: 2, Funny

      RT: @rs79 "I say anything that slows down the spread of those fucking annoying twitter people is a good thing and he should be awarded a medal.

      Tweet this, bitch."

  2. Bit obvious by Toe,+The · · Score: 4, Interesting

    Cool exploit, but worm-spamming your own public site is a bit, um, not well thought out. Or maybe it's a great way of getting a job. Depends on the legality of the worm, I suppose. :)

    1. Re:Bit obvious by timholman · · Score: 5, Informative

      Cool exploit, but worm-spamming your own public site is a bit, um, not well thought out.

      Especially when you read the Terms of Service on Mr. Mooney's own StalkDaily website, e.g.:

      7. You must not modify, adapt or hack StalkDaily.com or modify another website so as to falsely imply that it is associated with StalkDaily.com.

      8 You must not create or submit unwanted email to any StalkDaily members ("Spam").

      9. You must not transmit any worms or viruses or any code of a destructive nature.

      Talk about having a "Do as I say, not as I do" morality. At least it's refreshing to see that hypocrisy is not restricted to people over 30.

    2. Re:Bit obvious by FlyingBishop · · Score: 2, Insightful

      Actually, we had a meeting where we agreed that ToS's are by nature BS. We didn't invite anyone over 30, so I don't know if you missed the memo or just weren't invited.

  3. Ummmm by benjfowler · · Score: 2, Interesting

    Mikeyy described how he carried out the attack:
    "I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status,

    Isn't that called "criminal damage"? Now if I'm not mistaken, the police and courts tend to frown on that sort of thing.

    1. Re:Ummmm by disbroc · · Score: 2, Insightful

      Why should he be held responsible? The XSS is just plaintext code. It has no meaning unless someone executes it.

      Could the same not be argued about malicious/annoying scripting language code, or any interpreted code for that matter?

      If TPB can't be held responsible for simply providing links to illegal downloads, surely this kid shouldn't be held responsible for writing up some XML style sheets.

      Maybe its just me, but I think that depending on what country you are in the laws for what you are responsible for change quite a bit.

    2. Re:Ummmm by Anonymous Coward · · Score: 2, Informative

      Fuckwits... XSS = Cross Site Scripting, not XML Style Sheets.

  4. Clearly he should be made to by Colin+Smith · · Score: 2, Funny

    Go and manually run anti virus software on every infected PC.

     

    --
    Deleted
    1. Re:Clearly he should be made to by Anpheus · · Score: 4, Informative

      Go and manually run anti virus software on every infected PC.

      Not that kind of worm. It was purely a scripting attack involving javascript. No one's computers were harmed, only a bunch of twitter accounts. (Which can no doubt be fixed by patching the whole and some good SQL query to fix all the accounts in one go.)

    2. Re:Clearly he should be made to by FlyingBishop · · Score: 2, Insightful

      There are no infected PC's. The only thing 'infected' was people's twitter statuses, and now that the exploit was patched, there is no virus, since the code was executed by the server, not by the individual computer.

      This sounds pretty harmless.

    3. Re:Clearly he should be made to by nneonneo · · Score: 2, Interesting

      It was XSS; the idea is that an attacker puts his JavaScript code on a page belonging to someone else. When a victim views the page, their client executes the JavaScript.

      Now, in this case, we got lucky: this guy didn't try to exploit browser vulns or anything of the sort. What if, though, this thing had come to the attention of, say, a botnet operator? Combined with a browser vulnerability (the sort found at CanSecWest, for example), the botnet operator could easily have gotten several thousand more systems under his control very quickly. In fact, XSS holes are presently being used to inject malware on otherwise clean websites all the time -- the difference here is simply the visibility of Twitter as compared to most websites.

      This was harmless, but it may not have been.

  5. Would you trust StalkDaily? by Joao · · Score: 4, Insightful

    Seriously, would you? The developer admits to infecting people's computers and accounts in order to advertise his services, and doesn't think he did anything wrong. How can anyone trust his services then?

    For starters he should be forced to take down StalkDaily. I'm sure Tweeter lawyers are looking into this right now. And for once, I agree with such a move. /not a tweeter user

    1. Re:Would you trust StalkDaily? by Anonymous Coward · · Score: 4, Insightful

      Two issues with your post:
      One, the dev did not infect anyone's computers. He wrote a small program, on the site, that would update the profile of anybody who saw one of the spam comments. For example, you visit a friend's page who has one of these comments (and therefore the code) and your profile is updated with a comment (and the code). The only "infection" was on the site, not the end users. Also, no accounts were hacked. Simply a case of instructing the visitor's browser to slyly update the visitor's status while looking at a different page. TFA states that there were no passwords, usernames, or anything else in the code.
      Two, it's twitter.

    2. Re:Would you trust StalkDaily? by memojuez · · Score: 2, Interesting
      According to TFA, Two instances of Malware and one instance of the Seneka Root Kit

      A Malwarebytes scan comes up with three instances of malware. One is the Seneka rootkit (ouch!).

      Also according to the code and analysis posted on TFA showed that the script was ran on the client side, i.e. the user's computer, that exploited an XSS exploit on Twitter's website.

      I think that satisfies the definition of a Black-Hat Hack & Infecting users' PCs.

      --
      Signature applied for, Patent Pending
  6. Re:author found. Now what? by berend+botje · · Score: 4, Funny

    Hang him, I'd say.

  7. Re:throw the scumbag in jail by Teun · · Score: 4, Informative

    Idiots like him are the reason viruses exist.

    Stop right there! You are infringing on a Microsoft technology.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  8. Re:author found. Now what? by oldhack · · Score: 5, Insightful

    Buy that man a beer. :-)

    --
    Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
  9. I saw this. by Aladrin · · Score: 2, Interesting

    One of the Japanese people I followed suddenly tweeted a couple lines in English about StalkDaily and I was like 'wtf?' At least now I know it wasn't them.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
    1. Re:I saw this. by sakdoctor · · Score: 4, Funny

      You have used the verb "tweeted".
      Ninjas have been dispatched to your location, to make sure you don't do it again.

  10. Re:author found. Now what? by jrothwell97 · · Score: 2, Funny

    Drop him into the jaws of the Great Whale of Fail, while forcing him to follow Robert Scoble and Bill O'Reilly.

    --
    Those using pirated Tinysoft signatures(TM) are a real threat to society and should all be thrown in jail.
  11. Ob. Penny Arcade by slushdork · · Score: 2, Funny

    Le Twittre - pretty much says it all...

  12. Sounds Like A Publicity Stunt by Dreadneck · · Score: 3, Insightful

    FTA:

    StalkDaily.com is similar in design and features to Twitter. In addition to the features of Twitter, it also allows users to upload videos and photos. Through looking at the code behind Twitter, Mikeyy was able to produce a similar site to Twitter with some additional features. "I used my past knowledge to gain an insight on how Twitter worked and outputted to a user. Although both of the sites are coded in different languages I was able to give my site the same features as Twitter, while coding some of my own."

    It sounds to me like the kid was trying to promote his Twitter knockoff site, but for some reason felt the need to do so by poking a stick in Twitter's eye. Makes me think the whole thing was a juvenile cry for attention. I knew a kid like that in high school. He was smart as could be but would do anything, no matter how socially unacceptable, to get attention.

    I think the kid needs counseling and guidance and not a jail sentence.

    --
    Power does not corrupt - power attracts the corrupt.
  13. Re:author found. Now what? by morgan_greywolf · · Score: 5, Funny

    I tried, but they closed down the Microsoft Pub.

    --
    My blog
  14. Re:NoScript? by morgan_greywolf · · Score: 3, Insightful

    You're not ignorant. You're right. In addition, recent Firefox browsers have built-in XSS blocking.

    --
    My blog
  15. Samy is my hero by The+Real+Toad+King · · Score: 3, Insightful

    This sounds almost exactly like the Samy worm to me.

  16. The XSS FAQ by mrkitty · · Score: 2, Informative

    The Cross-site Scripting FAQ http://www.cgisecurity.com/xss-faq.html

    --
    Believe me, if I started murdering people, there would be none of you left.
  17. Re:author found. Now what? by fuzzyfuzzyfungus · · Score: 2, Insightful

    From TFA:

    âoeI am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.â

    Every inch of this quotation just makes you want to beat the kid. I bet he has an annoying voice, too.

  18. Re:NoScript? by wannabgeek · · Score: 3, Insightful

    Yeah right! Every time some vi comes up, people start holding NoScript as a panacea. I use NoScript so I am aware of its advantages. But it's not a cure-all. There are so many sites (twitter in this case) which simply do not work without Javascript being enabled. So most of the NoScript users who use twitter through a browser will have Javascript enabled - by white listing it in NoScript. So, no sorry, NoScript is not a protection against this one.

    --
    I'm much more funny, interesting and insightful than the moderators think
  19. Spell Twitter by wfstanle · · Score: 3, Funny

    Remember, you can't spell "Twitter" without using the word "twit".

  20. Re:author found. Now what? by Ihmhi · · Score: 2, Funny

    Don't worry, the Linux pub is better. The beer is free, and you can get a copy of the beer's recipe anytime you like!

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  21. Re:author found. Now what? by Anonymous Coward · · Score: 5, Funny

    Yeah, but if you ask for a beer the bartender calls you a N00B and if you ask what beers are available he tells you to RTFMenu.

  22. Yes, NoScript by Giorgio+Maone · · Score: 2, Informative

    You're wrong, NoScript DOES give protection against this attack. The malicious code comes from the mikeyylolz.uuuq.com, which is not in your NoScript whitelist even if you're using twitter.com with scripts allowed.

    Please check http://hackademix.net/2009/04/13/mikeyys-stalkdaily-twitter-worm-vs-noscript/

    --
    There's a browser safer than Firefox, it is Firefox, with NoScript