Skip to content

StalkDaily Twitter XSS - Lessons Learned

Today, Twitter was hit by a particularly nasty XSS attack that resulted in thousands of tweets linking to an infected site. Whether the site, stalkdaily.com, was knowingly involved in the attack or not, simply visiting this site while logged in to Twitter was enough for Twitter profiles to be infected. From there, any logged in Twitter user who visited an infected profile also risked infection.

Nothing on the Web is 100% secure

This morning, New Zealand time, I became aware of some strange activity after noticing tweets from some of the people I follow, exhorting me to visit stalkdaily.com. Alarm bells really started ringing when one of my friends sent a tweet warning people not to visit the site - followed almost immediately after by a series of tweets encouraging people to do just that.

Speculation ran rampant for hours while users waited for a status update from Twitter, which didn't come (until the hole was fixed a short time ago). In the meantime, the official Twitter spam account indicated that the stalkdaily issue had been fixed hours before and Twitter was in the process of cleaning up user's accounts.

Any users seeing those tweets, and also getting tweets from those they follow saying that the site was "awesome" or "legit" may have been duped into activating the XSS on their own profile.

These are the tweets that were randomly sent from infected Twitter accounts:

Damon Cortesi was one of the first to analyse the injected script, and he reported:

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

So, why did Twitter leave its users in the dark, without up-to-date information? And why were so many people affected by this script?

Lessons To Be Learned

  • Nothing on the Internet is 100% safe and it never has been. Assuming that links posted in tweets are safe to visit is pure folly.
  • Twitter should have kept users informed!
  • XSS and CSRF attacks are increasingly prevalent these days. If you are unfamiliar with either of these terms you really need to do some reading. If you are online, you will be exposed to these attacks. The very first thing you must do to protect yourself is this - do not browse to any sites while logged on to another site. Leaving authentication cookies exposed is dangerous. Log off, then navigate away.
  • Keep your antivirus and firewall rules up-to-date.
  • If you are using Firefox, install the NoScript plugin. This addon will prevent scripts from running unless you explicitly allow them, effectively creating a whitelist of scripts you are happy to run.
  • Become familiar with your Operating System's host file. The hosts file can be used to block access from your computer to a domain. It is not a "cure all" for Net nasties and should not be overused, but it can provide an extra layer of protection against unwanted access to domains you want to steer clear of.
    As soon as details of the stalkdaily injection became available, I added these to my hosts file:
    127.0.0.1 stalkdaily.com (the domain tweets were linking to);
    127.0.0.1 mikeyylolz.uuug.com (the domain the script was being loaded from).
  • Consider using the free OpenDNS service for added security.
  • And - importantly - make sure you know where a link is taking you! Short URL's are useful on social networking sites with character limits, but can be used to obfuscate dangerous links. TweetDeck now has a long-URL feature to show you the short-URL destination. There is also a Firefox extension and a Greasemonkey script for displaying the destination URL. You can get them here: http://longurl.org/tools.

More Reading

I won't be following the aftermath of the StalkDaily incident, so here's some more information about it that you may like to follow:

In conclusion, XSS is an issue all web users need to be aware of. Proactive protection against infection and basic safe computing practices will reduce your expose to risk. And, even though you may personally know the people you are networking with on social networking sites, keep your skepticism hat on and never blindly believe everything you read - you never know when someone other than your contact is controlling their account.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted by Lynne Pope on 12 April, 2009

Topic: Tech Talk
Tagged as: extensions, Firefox, scripts, security, spam, tweets, Twitter, xss

Share on FriendFeed

{ 1 comment… read it below or jump to the comment form to share your opinion }

  1. 1 theplacefordev (Rusted) April 23rd, 2009 at 7:14 am

    Reading about a href="http://lynnepope.net/stalkdaily-twitter-xss-lessons-learned"attack to Twitter/a using XSS

{ 3 trackbacks }

  1. Twitter Users Hope Cure for Mikeyy Worm Lasts April 15th, 2009
  2. Twitter Users Hope Cure for Mikeyy Worm Lasts | Technology News April 15th, 2009
  3. Jake Kasprzak Online › The Twitter XSS Worm and Lessons That Can Be Learned From It April 28th, 2009

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Any comments that look like spam will be treated as spam - this includes SEO titles and use of spurious keywords.

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.

Time to Ditch the Dates
Second Twitter XSS Attack in 24 Hours