Home / Web / Security / Twitter hit by cross-site scripting attacks

Twitter hit by cross-site scripting attacks


Deprecated: implode(): Passing glue string after array is deprecated. Swap the parameters in /var/www/tgdaily.com/wp-content/plugins/cp-link-nofollow/includes/CP_LNF_Post_Type.php on line 172

Deprecated: implode(): Passing glue string after array is deprecated. Swap the parameters in /var/www/tgdaily.com/wp-content/plugins/cp-link-nofollow/includes/CP_LNF_Post_Type.php on line 172

Deprecated: implode(): Passing glue string after array is deprecated. Swap the parameters in /var/www/tgdaily.com/wp-content/plugins/cp-link-nofollow/includes/CP_LNF_Post_Type.php on line 172

Chicago (IL) – The Twitter micro-blogging network has been hit by two cross-site scripting (XSS) attacks that spread messages from user accounts across the system without users’ consent. The initial “StalkDaily” messages that appeared over the weekend are now followed by a “Mikeyy” attack that apparently can infect Twitter accounts simply by viewing another infected Twitter page.
   
The attack was first reported to have surfaced late Friday last week and since then has somewhat mutated with different messages.

Security firms such as Sophos indicate that users do not need to click on a suspicious message containing the words “StalkDaily” or “Mikeyy” to get infected, but will be hit simply when viewing a corrupted file. While Twitter said it is closing the vulnerabilities, security experts advice users to use third-party Twitter clients such as TweetDeck and, if you are using the web-based Twitter version, not to click on “StalkDaily” or “Mikeyy” messages and stay away from viewing user profiles.

Users who have been infected, which you would notice by seeing those messages in your profile, you will need to turn off JavaScript support in your browser, clear your browser cache and delete attack messages from your profile. It is unclear whether the attack (the StalkDaily code was posted here) in fact collects passwords, but it may be a good idea to set a new password as well. You can turn JavaScript back on after you have made the changes. However, it is recommended at this time to turn JavaScript off when using Twitter as the worm requires JavaScript functionality to propagate itself.

There are no reports of actual damage caused by the XSS attacks.
   
BNONews reported that the attacks have been created by 17-year old Mike Mooney out of “boredom”, to “make money” and to promote his own website StalkDaily.  
   
“I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile,” he wrote to BNONews. “I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.”