NEWS FROM THE LAB - Monday, April 13, 2009

Ongoing Problems at Twitter Posted by Mikko @ 09:37 GMT

Twitter administrators don't seem to be able to shut down the various XSS / CSRF worms that have been plaguing the service over the weekend.

The actual problems to end users haven't been devastating — so far. Most of the Twitter worms simply modify people's profiles to infect more users.

However, attacks like these could be much worse if the attackers would incorporate nastier attacks, such as browser exploits.

The attacks have been credit to "Mikey" or "Mikeyy", who apparently was the administrator of a site called Stalkdaily. Stalkdaily was a competitor for Twitter and apparently the original motive of the attack was to "steal" Twitter users to join this new service. Web page for Stalkdaily is currently down.

Latest round of worms just started minutes ago. Apparently this run was started by a freshly registered user called cleaningUpMikey:


This is what the attack looked like:


If you clicked on the name or the image of the person sending the message, you would get infected as well and would send the same message - and anyone viewing your profile would do the same.

We can't confirm whether "Mikeyy" is really behind these attacks. We can't confirm the above phone number either. However, it was likely picked up from this page from a social networking site:


For now, don't view profiles in Twitter.

Updated to add:

A quick look at another incarnation of the same worm. This one was interesting, as it was using bit.ly redirector in the messages.

Infected users were sending Tweets like this: "How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1S"

A message like this is particularily nasty, as there were plenty of re-tweets of this malicious message sent by genuine users.

The bit.ly link got redirected back to Twitter, to user reberbrerber's profile. Which would infect Twitter users who would view it.

The good part about using a URL redirector is that now we can get exact statistics on how much traffic this link received. Turns out the URL got clicked over 18,000 times - and the figure is still growing.


And where were these users from?


One more chart. Based on keyword mikeyy stats from Tweetscoop, the outbreaks are leveling out now: