Skip to content

Second Twitter XSS Attack in 24 Hours

Almost 24 hours after the first XSS attack on Twitter, that resulted in thousands of tweets linking to an infected site, Twitter.com is under attack again. This new threat comes only hours after Twitter announced that it had closed a security vulnerability that had allowed the so-called, "StalkDaily" worm to spread through a script injection into user's profiles.

StalkDaily had earlier stated on their website that it had nothing to do with the attacks:

For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this…StalkDaily is a website that follows the same functions as Twitter, except more advanced How? Well, instead of just adding an “update status”, people can add pictures and videos. Then you can stalk them, so when they upload a video or picture, or comment someone, you’ll know!

Later, an admission was reportedly made that Mikeyy Mooney, the 17-year-old owner of the StalkDaily site was responsible.
UPDATE: The site now shows an admission that he is the culprit.

And, now he is back!

This time, tweets are being sent out with the word, Mikeyy, or Mickeyy and have a twist - the tweets are disguised as warnings and include messages such as:
"Wow...Mikeyy."
"Man, Twitter can't fix shit. Mikeyy owns. :)"
"Dude! Mikeyy! Seriously? Haha. ;)"
"Dude, Mikeyy is the shit! :)"
"damn mikeyy. haha."
"Twitter should really fix this..."
"Mikeyy I am done..."
"Mikeyy is done.."
"Twitter please fix this, regards Mikeyy"

This time, however, the script is injecting obfuscated code into the Twitter profile CSS. As with the StalkDaily XSS injection, user profiles are being altered and anyone visiting an infected profile while logged on is finding their own profile infected.

Zymic, which was hosting the original script, has closed down the mikeyylolz.uuuq.com site for breach of its terms of service. You can go to it yourself to check if you like, but I'm not including a link to Zymic here - it is a free hosting service that has hosted a lot of hackers and scammers.

Clearly, Twitter has a major problem on its hands. However, the biggest problem is the viral nature of social networking itself. The Mikeyy/Mickeyy code was injected and sent out tweets, but Twitter users, by hitting the panic button and retweeting the worm's messages just compounded the problem. If you receive a tweet with the word Mickeyy or Mikeyy the best thing to do is ignore it. Twitter is aware of the problem and is apparently working on it. RT'ing is only building this jerks notoriety and ensuring his name won't be forgotten in a hurry.

If your profile has been infected, fix it by following these steps:

  • Clear your browser cache and delete all cookies;
  • Login to Twitter;
  • Change your password;
  • Delete any tweets made on your account that contain the Mikeyy or Mickeyy name;
  • Look at all of your settings fields - name, URL, etc and if you find any script in these fields, delete completely and re-enter your information;
  • Log out and do not login to twitter.com again until Twitter announces that this script has been taken care of.
    The Mikeyy script is in the CSS, and this is not editable by Twitter users. From initial reports, staying logged out keeps the account clear of script activity. Logging on and using Twitter through an external client does not trigger reactivation of the script.

In my earlier article StalkDaily Twitter XSS - Lessons Learned, I outlined things you can do to protect yourself against these types of XSS attacks. It's up to Twitter to secure their site, but its up to tweeters to minimise the damage such attacks can do. So far, we have been lucky that the attack has only been targeted at inconveniencing Twitter (and bringing fame to its creators) - next time, we could find ourselves being targeted.

UPDATE:

The worm is mutating so please be very careful when you login to Twitter! These JavaScript-based cross-site scripting injections are appearing on hacker sites and the vulnerabilities they are exploiting have been in the wild for several weeks (see: TheRegister). So far, accounts have not been damaged (although nobody yet knows how much personal information could end up being compromised) but Michael Mooney has said profile backgrounds will be removed next.

F-Secure has published information about these worms and said:

This is not over. There's going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter, don't view profiles, don't follow links. It's beautiful outside, maybe go for a walk instead?

If you see tweets saying this is over and it's safe to visit profiles again, don't believe them until you have checked the Twitter status page for confirmation that Twitter is clean of infection.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Posted by Lynne Pope on 13 April, 2009

Topic: Tech Talk
Tagged as: hackers, script injection, scripts, security, security vulnerability, tweets, Twitter, worm, xss

Share on FriendFeed

{ 13 comments… read them below or jump to the comment form to add your thoughts }

  1. 1 djackmanson (David Jackmanson) April 12th, 2009 at 3:35 pm

    More info on how to get rid of the #mikeyy #stalkdaily worm http://lynnepope.net/twitter-xss-attacks

  2. 2 TwittaBucks (TW Bucks) April 12th, 2009 at 5:06 pm

    Second Twitter XSS Attack in 24 Hours « a.k.a Elpie »: Twitter has been hit by two cross-site scripting attacks .. http://tinyurl.com/d82oqs

  3. 3 mizansyed (Mizan Syed) April 12th, 2009 at 6:43 pm

    2nd Twitter XSS Attack in 24 Hours http://lynnepope.net/twitter-xss-attacks
    I reported this prob couple weeks ago even mentioned it here.

  4. 4 Reverend Dom April 13th, 2009 at 3:39 am

    Very helpful. Thank you!

  5. 5 LeRoy60 (LeRoy60) April 13th, 2009 at 8:39 am

    @marjicurran1 Marji ... this may explain the "stalking" comment - http://lynnepope.net/twitter-xss-attacks

  6. 6 LeRoy60 (LeRoy60) April 13th, 2009 at 9:19 am

    seems this worm is taking on a life of its own - just in case anyone's hit - http://lynnepope.net/twitter-xss-attacks

  7. 7 Shellshocked (The Conch (Simon)) April 13th, 2009 at 9:59 am

    #mikey solution1.) http://lynnepope.net/twitter-xss-attacks 2.) Turn off java script to block redirection when changing ... pls RT

  8. 8 stonermc (Jools Lloyd) April 13th, 2009 at 12:05 pm

    Currently reading: http://lynnepope.net/twitter-xss-attacks for info about the worm thing.

  9. 9 stonermc (Jools Lloyd) April 13th, 2009 at 12:05 pm

    Currently reading: http://lynnepope.net/twitter-xss-attacks for info about the worm thing.

  10. 10 LindaLorie (Linda) April 13th, 2009 at 2:37 pm

    Must read updated article! Second Twitter XSS Attack in 24 Hours http://lynnepope.net/twitter-xss-attacks

  11. 11 jh2fct (James Herbert) April 23rd, 2009 at 1:52 am

    #fct Truth is they are right. A worm was propagated on twitter using XSS. http://lynnepope.net/twitter-xss-attacks

  12. 12 theplacefordev (Rusted) April 23rd, 2009 at 7:15 am

    Reading about how Twitter was hacked using XSS http://lynnepope.net/twitter-xss-attacks

  13. 13 brutal_meljan (Mel de Guia) April 23rd, 2009 at 8:44 am

    quite alarming
    http://lynnepope.net/twitter-xss-attacks

{ 31 trackbacks }

  1. Second Twitter XSS Attack in 24 Hours « Twitter @ Information-Source-Online.Com April 13th, 2009
  2. HOWTO: Remove Mikeyy From Your Twitter Profile | Twittercism April 13th, 2009
  3. mikeyy: Second Twitter Worm on the Loose April 13th, 2009
  4. Get Ready To mikeyy: Another Twitter Worm on the Loose | 82123 April 13th, 2009
  5. mikeyy: Another Twitter Worm on the Loose | World News April 13th, 2009
  6. mikeyy: Another Twitter Worm on the Loose | Programming Blog April 13th, 2009
  7. mikeyy: Another Twitter Worm on the Loose | KGRAND ONLINE NEWS April 13th, 2009
  8. mikeyy: Another Twitter Worm on the Loose - webolia | news for web geeks April 13th, 2009
  9. mikeyy: Another Twitter Worm on the Loose | New Web 2.0 Magazine April 13th, 2009
  10. mikeyy: Another Twitter Worm on the Loose April 13th, 2009
  11. So You’ve Been Infected With Twitter Worm Thanks to Mikeyy, Here’s What To Do | Yoon Ho Um April 13th, 2009
  12. Twitter Worm Attacks Continue April 13th, 2009
  13. Twitter plays whack-a-worm over the weekend | Tech-Talks.com April 14th, 2009
  14. Mikeyy Twitter Worm Returns Message for @oprah April 18th, 2009
  15. The Official Flexilis Blog | Advisory: “Mikeyy” Twitter worm has resurfaced - Protect yourself April 18th, 2009
  16. Techeroid » Mikeyy Twitter Worm Returns Message for @oprah April 18th, 2009
  17. infoyourway.com » Mikeyy Twitter Worm Returns Message for @oprah April 18th, 2009
  18. Mikeyy Twitter Worm Returns with Message for @oprah | World News April 18th, 2009
  19. Mikeyy Twitter Worm Returns with Message for @oprah | KGRAND ONLINE NEWS April 18th, 2009
  20. Strangers on the Net » Mikeyy virus is back on Twitter April 18th, 2009
  21. Short-URLs in Twitter, eine Gefahr? » Guru 2.0 April 18th, 2009
  22. Mikeyy Twitter Worm Returns with Message for @oprah | Tech World April 18th, 2009
  23. Tech News Geek » Mikeyy Twitter Worm Returns with Message for @oprah April 18th, 2009
  24. free downloadMikeyy Twitter Worm Returns with Message for @oprah | 82123 April 18th, 2009
  25. PastimeDaily » Blog Archive » Mikeyy Twitter Worm Returns with Message for @oprah April 18th, 2009
  26. Techeroid » Mikeyy Twitter Worm Returns with Message for @oprah April 18th, 2009
  27. Mikeyy Twitter Worm Returns with Message for @oprah | New Web 2.0 Magazine April 18th, 2009
  28. Mikeyy virus is back on Twitter | Pe net! April 18th, 2009
  29. Mikeyy Twitter Worm Returns with Message for @oprah | TechWeb April 19th, 2009
  30. My Mash Web » Mikeyy Twitter Worm Returns with Message for @oprah April 19th, 2009
  31. Nettlive.com » Blog Archive » mikeyy: Another Twitter Worm on the Loose May 4th, 2009

Leave a Comment

You can use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>
Any comments that look like spam will be treated as spam - this includes SEO titles and use of spurious keywords.

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution.

StalkDaily Twitter XSS - Lessons Learned
Mikeyy Twitter XSS Mutates & Continues to Attack