What did the user gain from doing this to users besides the notoriety? I'm so tired of this crap.
alisazhao1102
· 4 months ago
If you’re a dedicated follower of tiffany like me. Don't miss the tiffanys & co. on sale including pendants, necklace, earrings, bracelets on line. tiffany jewelry is the one thing that outlasts the cake, champagne and music. links of london jewelry discount , famous for its sweetie and friendship bracelets.Ed hardy designer, christian audigier , is a brand of ed hardy, and now are favored in the moderning world as a mark of its nice tatoo.
Donald
· 8 months ago
Notoriety is everything
Ganesh - Online Bull
· 8 months ago
You can say that again. I guess he's enjoying the attention right now.
Wayne Smallman
· 8 months ago
Donald is right, these people are showing off to each other, scoring points and gaining respect amongst their peers. It's crazy, but they're just part of a clique, like most other people are, seeking that tacit nod of approval.
Twitter is a very high profile target, so I'll leave you to imagine how much kudos this scored them...
Richard Sakai
· 8 months ago
interesting piece of code nonetheless.
Cam McAlpine
· 8 months ago
Pete: one question, and one comment: What do you mean by "switch your bio back to normal"? New desktop client for Mac users (in add'n to TweetDeck and Seesmic) is Nambu -- and it's pretty cool. Thx for you work on this one. C
Pierre Fontenelle
· 8 months ago
worm spreads through user's web address (More Info URL) so they need to update that to clean their profile.
Denis
· 8 months ago
Wow. I can't believe that such a gaping security hole has been open and available since day 1. Thanks for the info.
joemccann
· 8 months ago
mikeyylolzuuug dot com -- This is not even a site.
Also, viewing the source code of @gangsterboy, reveals no JavaScript anywhere, except the JS that twitter serves in the page. I've monitored all script requests in Firebug as well and so nothing peculiar.
So....where are you getting this info from?
mashable
· 8 months ago
Good catch. The username is actually "gangsterboyha" (probably fixed by Twitter at this point) and javascript is hosted at mikeyylolz dot uuuq dot com (slash) x dot js
joemccann
· 8 months ago
Okay cool, yeah I was pretty sure April Fool's was over... ;-)
BeauGiles
· 8 months ago
Seems to be fixed now. Just been trying to get infected for the last 5 minutes. :p
Also; "Twitter security team has deployed a patch to stop the worm/script vector" says @netik (via @murphysblues)
mashable
· 8 months ago
Yeah, they updated the status blog just now to say the same.
So, did you want some help getting infected? ;)
Robin Greenbaum
· 8 months ago
I just checked @jackoonline and his last post seems to be an infected on.. I clicked off it to see how long ago it was but he just subscribed to me and I haven't seen them in a few hours hmm
Robin Greenbaum
· 8 months ago
woops @jankoonline may still have the virus?!
dacort
· 8 months ago
Twitter has taken care of it at this point, much to the chagrin of their Saturday afternoon.
Interesting little attack, but nothing more than a nuisance and somebody looking for some Internet notoriety. It could have been significantly worse.
Robin
· 8 months ago
1. why did it take so long for twitter to fix? couldn't they just change the type of date url fields accept? ie block the words script?! 2. are similar "injection" attacks still possible on twitter? more curious then critical but how could a site with 7m+ users had such a gaping security oversite?
mashable
· 8 months ago
2. Heh, were you around when MySpace was suffering XSS exploits every couple weeks? That site, with 100M+ users, had all sorts of issues. However, MySpace was much more vulnerable because a core feature was inserting your own CSS and html to change the look of your profile.
Since user-entered code is not a core part of Twitter, I don't see them as being wide open to this threat. They seem most vulnerable to attacks that encourage users to click an external URL, particularly since these URLs can be hidden behind short URLs.
Robin
· 8 months ago
twitter is all about trusting the urls you are clicking on. I think they may have gotten off lucky this time and a wake up call. I think the answer may be to have urls separate perhaps not within the 140 characters so they can be their full length and people can see what they are clicking on?! I had the virus tonight @cobrokenation and felt perhaps every link tonight was suspect. Lucky there wasn't round #2 for example where help links would have been part of the attack.
dacort
· 8 months ago
1. They fixed this pretty quickly once they were alerted to the fact that it was spreading via url fields. Once one of their API leads had his Saturday afternoon interrupted by the fact that this was happening, a fix to prevent the attack was in place within minutes. They then spent the rest of the time cleaning up the mess.
Preventing attacks on a major code base isn't an easy task.
Anhkah
· 8 months ago
This is easy enough to avoid by simply turning off the preference setting that accepts all cookies automatically. Then you can see when and what cookies are being requested and approve them if you need or want.
mashable
· 8 months ago
Or disable javascript. But both make browsing the web more of a chore.
Robin
· 8 months ago
you are assuming we know how to use our browsers ;-) I am on safari and have no clue.
dacort
· 8 months ago
NoScript (http://noscript.net/) is another somewhat painful option. But once you have a base of "trusted" sites, it's a little bit easier to deal with and would have prevented this exact attack.
maureen birdsall
· 8 months ago
What a loser
Nosredna
· 8 months ago
Saw the JavaScript for the hack. I thought it was kinda lame that the coder used 'new Array()' and a bunch of assignments instead of just creating an array on-the-fly with an array literal.
dacort
· 8 months ago
Really should've used the jquery library already on the Twitter site, too. Would've saved a lot of trouble. ;)
Nosredna
· 8 months ago
Haha. Yeah. All that Ajax code in there could have been one line.
Robin Greenbaum
· 8 months ago
if people still need to fix their profiles how is it fixed? can they still reinfect?
lorsturm
· 8 months ago
Holy cow! I've visited tons of profiles today!!! Wish I'd read about this sooner. Yikes, everything appears to be the way I created it on my page. So I guess I was lucky.
Daniel Larsson
· 8 months ago
For you people asking for reasons why social media sites sholdnt integrate 'one click payment' solutions too early. See --> This
gregp
· 8 months ago
I envy you computer geeks...We take so much for granted online...thanks alot to the "good guys"
Marceli Hasusi
· 8 months ago
Oh! Verry Good!
Facebook User
· 8 months ago
Using Firefox with NoScript has it's advantages.
Facebook User
· 8 months ago
1st tweet friend had it - he in Australia i visit him wham I got it @ 8am EST (Vermont USA) IRATE! &%*&*
fortunately I made immediate intuitive fix - XXS code in my location field of settings erased it - locked updates4now
thx for this info - will do. after I fixed my web twitter I split cuz angry - I better now
my rule is if I accidentally get hurt - walk away - feel good that I was able to get the crap out of my web twitter site on my own maybe did not imbed in my image wall because my background is from freetwitterbackground based in Australia.
thx agin, and good luck - sux this happened to y'all - *&%^&*!!! - :)Sonja
Sonja Clawson
· 8 months ago
- friend in Australia got it 1st
wham on me ~ 8am EST (Vermont, USA
fortunately I successfully made intuitive immediate fix
XXS code in my location field of settings. erased it. locked my updates - still locked
seems all good now.
maybe did not post into any image setting as I use freetwitterbackground ?
I appreciate your time to ID this and make thorough steps 4 tweet users
I do use on web - my browser is google chrome
i was irate - after erased XXS and locked down I walked away for long time good rule - if accidentaly get hurt - walk away went to blip.fm and streamed in some songs
ugh - must have been stress on you all - I appreciate your help. and I feel ya! #$%^^!
Sonja
mms
· 8 months ago
For the people who have been using Firefox with Noscript installed, I am wondering if the script itself was unable to do the attack since the newest version of noscript prevents XSS script jacking. ? In fact if there is bad code or harmful code, it prevents you from using the site at all unless you globally allow all sites. Am I wrong?
Facebook User
· 8 months ago
- sorry my comment posted twice cuz of my own stress!
yea - good comment about the firefox browser
I use google chrome - good as well
as the comment above reads friend in Australia had it first when I was in Vermont at 8am EST thx to my broken brains (no joke I have traumatic brain injury have not used computer for 5 years since car hit me) - thx be I fixed it. ugh, like I said I feel ya
As of five-ten minutes ago, it appears that hijacked Twitter accounts have been sending out spam messages saying things like "Man, Twitter can't fix shit. Mikeyy owns. :)". I wouldn't visit those accounts until we're told it's safe. Accounts include @PragueBob, @612Brisbane and @brisneyland
Mac
· 8 months ago
FYI, the worm is still running wild.
diptychal
· 8 months ago
It hasn't been fixed. It happened to my account. Thanks for letting us know how to avoid it at least.
Lynzy7
· 8 months ago
2 other usernames are Hi (wooobabywoo) and also Thomas Moody (moodswingmanage)
Joel Gascoigne
· 8 months ago
I really can't believe there was a huge security hole like this in Twitter! And that it's only just been exploited.
Arizona Dennizen
· 8 months ago
who visits twitter profiles? is twhirl immune?
JustinSMV
· 8 months ago
Reminds me of back in the AOL days where you could write code in the Instant Message windows and create scrips to punt people offline. Its scary to see how many people got affected by this script but I am sure Twitter is big enough to prevent the scripts from now on, hey thats the only way to learn right? Fail then succeed. Great post
Gregory D. Howe
· 8 months ago
I was a victim of this attack. I received the usual e-mail message from Twitter indicating a new person was following me. I copied the name into the clipboard and while I was using Twitter from my browser I pasted the name as the last element of the URL and pressed the enter key. I followed the person and a few seconds later I saw messages in the timeline from me that I had not entered.
I immediately went to my settings and found what looked to be perhaps javascript in the URL field. I cleared the URL out, saved the settings and unfollowed the fellow. I went back a minute later and found that I was again following him so I blocked him. I then went to my setttings and deleted my profile thereby logging out. This morning I successfully reinstated my profile and I'm following and being followed my more folks than ever before. CRAZY high strangeness!
Rachel
· 8 months ago
Ok, I'm dumb, can you explain to me one thing? If Stalkdaily.com isn't guilty, what part of stalkdaily was necessary for the hacker to create this mess? It sounds from your explanation like the hack could have been (and was?) accomplished entirely within Twitter.
Martin
· 8 months ago
It's quite serious cause 50%+ are using the web as their only twitter platform. I am not sure what this does and apparently no one is still certain but @rouge_leader says: "I can no longer log on via 3rd party apps."
Ron West
· 7 months ago
So is this illegal? I can't see how there is a law against exploiting a websites lack of security against XSS. The attacker did not steal passwords or any other data - they just promoted themselves. I know this was a distraction and may be an issue of trust - but I can't see an illegal act here.
Benjamin Wright
· 7 months ago
Virus infections in Twitter give employers and schools security as another reason to block Twitter. --Ben
wrought iron door
· 7 months ago
thanks a lots
flysquat
· 7 months ago
Nothing more than a jobless scriptkiddie. Hate em. Find em... beat em. Then bogart their gear. :) Sell it on ebay. "From the guy that exposed Twitter" 10,000$ equipment nearly new.
PamE
· 7 months ago
I noticed my profile has "&" and remembered that was one of the things to watch for with this worm. I went into my profile to delete it and it wasn't in my bio but it is till showing on my profile page. Any suggestions on how to get rid of this? I did follow the above instructions & changed my password and cleaned by cookies. Appreciate any help.
All Comments
Twitter is a very high profile target, so I'll leave you to imagine how much kudos this scored them...
one question, and one comment:
What do you mean by "switch your bio back to normal"?
New desktop client for Mac users (in add'n to TweetDeck and Seesmic) is Nambu -- and it's pretty cool.
Thx for you work on this one.
C
Also, viewing the source code of @gangsterboy, reveals no JavaScript anywhere, except the JS that twitter serves in the page. I've monitored all script requests in Firebug as well and so nothing peculiar.
So....where are you getting this info from?
Also;
"Twitter security team has deployed a patch to stop the worm/script vector" says @netik (via @murphysblues)
So, did you want some help getting infected? ;)
I posted some technical details of the attack on my site: http://dcortesi.com/2009/04/11/twitter-stalkdai...
Interesting little attack, but nothing more than a nuisance and somebody looking for some Internet notoriety. It could have been significantly worse.
2. are similar "injection" attacks still possible on twitter? more curious then critical but how could a site with 7m+ users had such a gaping security oversite?
Since user-entered code is not a core part of Twitter, I don't see them as being wide open to this threat. They seem most vulnerable to attacks that encourage users to click an external URL, particularly since these URLs can be hidden behind short URLs.
Preventing attacks on a major code base isn't an easy task.
I got it @ 8am EST (Vermont USA)
IRATE! &%*&*
fortunately I made immediate intuitive fix - XXS code in my location field of settings
erased it - locked updates4now
thx for this info - will do. after I fixed my web twitter
I split cuz angry - I better now
my rule is if I accidentally get hurt - walk away - feel good that I was able to get the crap out of my web twitter site on my own maybe did not imbed in my image wall because my background is from freetwitterbackground based in Australia.
thx agin, and good luck - sux this happened to y'all - *&%^&*!!! - :)Sonja
wham on me ~ 8am EST (Vermont, USA
fortunately I successfully made intuitive immediate fix
XXS code in my location field of settings. erased it. locked my updates - still locked
seems all good now.
maybe did not post into any image setting as I use freetwitterbackground ?
I appreciate your time to ID this and make thorough steps 4 tweet users
I do use on web - my browser is google chrome
i was irate - after erased XXS and locked down I walked away for long time
good rule - if accidentaly get hurt - walk away
went to blip.fm and streamed in some songs
ugh - must have been stress on you all - I appreciate your help. and I feel ya! #$%^^!
Sonja
yea - good comment about the firefox browser
I use google chrome - good as well
as the comment above reads friend in Australia had it first
when I was in Vermont at 8am EST
thx to my broken brains (no joke I have traumatic brain injury have not used computer for 5 years since car hit me) - thx be I fixed it. ugh, like I said I feel ya
this kinda crap is to be expected.
People who have been hacked - do not visit these profiles: http://tinyurl.com/cvujsd (Twitter Search link)
If you've been infected, change the URL in your profile, SIGN OUT from the Twitter WebUI, and wait for a fix.
'Mikeyy' only has access to your account while you're signed in to the webui, as it's cookie based. He doesn't have your password.
http://twitter.com/BeauGiles
I immediately went to my settings and found what looked to be perhaps javascript in the URL field. I cleared the URL out, saved the settings and unfollowed the fellow. I went back a minute later and found that I was again following him so I blocked him. I then went to my setttings and deleted my profile thereby logging out. This morning I successfully reinstated my profile and I'm following and being followed my more folks than ever before. CRAZY high strangeness!