NEWS FROM THE LAB - Friday, April 17, 2009

Yet Another Twitter Worm Posted by Patrik @ 22:03 GMT

A new Twitter cross-site scripting worm is going around on Twitter. Just like the previous Twitter worms it talks about Mikeey.


Other messages used by the worm include:

Twitter, this sucks! Fix your coding.
Twitter Security Team Really? You need to be fired.
Horrible Coding!
@oprah - sup? welcome to twitter - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboyellem - your music sucks dude. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@StephenColbert - you funny. - mikeyy
@cnnbrk - he's back. ;) - mikeyy
@nytimes - yep, it's true. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlCars!!! - mikeyy
Get Firefox, thanks. www.Firefox.com
Twitter, you should be paying me now. - mikeyy

Once a user views an already infected profile they get infected as well. The name, location, website and bio all gets changed to Mikeyy and they start posting messages randomly picked from the list above.


The malicious script itself is downloaded from Twitter is working on fixing the problem.

This happens on the same day as media reports that Michael Mooney got a job because of his writing the first Twitter worms. So if he did this one too, what was the motivation? To get an even better offer from someone else!? Stupid.

For now, stay away from looking at user's profiles. Also Firefox and NoScript is a good combo.

Updated to add: Michael Mooney (Mikeey) confesses to writing this latest worm as well.