I was away for the weekend attending PragueCrunch (more on that later), so I missed most of the conversation about Mikeyy, the Twitter worm that’s been plaguing the micro-sharing service for the last couple of days. And just as I was reading up on it, it seems like a fourth attack is being carried out as I’m writing this. That means that Twitter has not yet fully fixed the issue that arose during the weekend, and the messages Mikeyy is posting reflect that:
How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1s
This worm is getting out of hand Twitter. – Mikeyy
Twitter, your community is going to be mad at you… – Mikeyy
Update: at 3:40 am PST, Twitter posted a message saying that they believe the situation is now under control, and that they’ll continue to monitor Mikeyy.
Users are being advised to refrain from using the web version and use third-party apps instead, as well as to be careful when clicking links. Other steps that should be taken are changing your bio, URL and change / reset your hex color.
I would also recommend to take further precautions, like disabling Javascript in your browser, clear your cache and cookies and maybe even change your password, even if Twitter has previously informed users that no passwords, phone numbers or other sensitive information were compromised as part of this renewed attack.
You can keep track of Twitter’s Status blog and @spam account for updates.
I can only imagine how much damage this is doing to the startup’s reputation, and how the community will react to this new round of attacks when word gets out en masse. Granted, having unwanted messages posted to your account is more of an annoyance than a genuine security risk, but this is clearly severely impacting the way people look at and use the service now, particularly those who use Twitter for commercial reasons.
Sad.
It’s sad that twitter thinks validating html forms and sanitizing malicious code is hard. Reading their blog you’d think they were protecting an operating system. What a joke.
“lame, lamer, the twittest”
I love it when a kid stirs sh!t up. I know it’s a pain in the ass, but hacking of this kind is good for the security of the interwebs in general. It exposes flaws in the specific app, and scares the crap out of other site admins that should be safeguarding against stuff like this.
Mikeyy…you’re walking a fine line and will probably end up facing some seriously angry Feds, but if they offer you a gig at the NSA or CIA please take it. We need you and other like you to safeguard our systems!!
Yeah, and tuberculosis is good for building our immune systems. What a crock of shit, this line of reasoning.
Paul, that is the dumbest analogy I’ve ever read.
It’s a cross site scripting attack, about the simplest hack known to man, and your suggesting the CIA hire this kid?
It does not show the kid’s got a hacking gift, only that Twitter are completely incomptent.
There’s evidence that lack of modern parasites is the cause of autoimmune disorders. So a disease not quite as extreme as tuberculosis could indeed help build our immune systems.
twitter only needs to sanitize its data.
mysql_real_escape_string
They must have spaghetti code, if they can’t sanitize user input, before querying the db.
O’reilly taught me this. Come on twitter. Spend 19.99 out of your 40 million, and read the php cookbook.
err.. unless twitter was programmed in rails, then I just look foolish.
The problem should be solved soon..
Hope this Would Be HelpFul for you Guys – How to get rid of Mikeyy worm in Twitter? http://www.thew...in-twitter.html
Yeah that’s really a sad news. I think Twitter really needs to Clean their system again. Twitter please schedule a maintenance period for it; we won’t deny it.
http://www.smartbloggerz.com
Sad? It actually validates the medium.
Anything worth looking at throughout history is always worth:
a) spamming
b) propagating viruses
If Twitter didn’t meet those tests, it would surely die.
$55 million in funding and you cant fix some XSS holes?
I don’t know why this is surprising people. Twitter has long showed technical incompetence. The service isn’t practical, is implemented poorly, and will not be able to generate revenue. The only reason it gets press is because of the founders. Ridiculous. The entire tech community should be held accountable for inflating this piece of junk.
You tell ‘em! In a couple of years, the world will look back and say anon was right about everything … I can hear them now: “if only we had listened to anon, the world would be a better place. We should get anon a statue and his own national holiday.”
LOL. good one
Let’s face it, you don’t understand any of the technical bits of this issue anyhow.
It’s easy to be cute on your own blog, but if you know anything about web security, you’ll realize this is a very trivial issue to solve. It’s like not salting and hashing passwords in a database.
God will someone fire Robin?
And a free pad, booze, broads, blow plus an Xbox. Let them drive a Hyundai though.
Karan, I realize that very well, but I can’t understand why someone goes through the trouble of hiding under anonymity when they actually have something sensible to say. Anon is particularly good at that.
Yakov, thanks for bashing me non-anonymously, now at least I know it’s coming from someone running a questionable business.
Robin,
Simply put, the reason I remain anonymous is to protect my identity and my future opportunities in the web industry and business community in general. The comments I leave on TC tend to be quite harsh, are written in a stream of consciousness manner, and don’t necessarily originate from a rational place. As I’m sure you know, the web turns over quite rapidly, and the company you are bashing today could be the same one offering you a sweet employment package tomorrow. The permanence of the web is real, so if there is an option to remain anonymous, I choose it.
In addition, the editorial on TC tends to come from a biased viewpoint that makes me uncomfortable as a reader (this article does not apply). I enjoy playing devil’s advocate to both expose this bias, and to continue the conversation. The dogmatic nature of traditional journalism will die with print, leaving the Socratic Method free to evolve on the internet.
When searching for truth, what is said should always carry more weight than who it is said by. I am anon. I am everyone and I am no one.
So wait, Yakov’s DomainSponsor is questionable, yet your boss was in very much the same business a few years ago. Arrington was CEO of pool.com, who sell backordered domains, which is what people use to buy domains to put on DomainSponsor, or to hold ransom to the people that let them expire.
What does that say about you Robin? Get off your high horse.
Love, mom.
By default all comments on TC are anonymous.Just because I type in a realistic name into the name fielddoesn’t really assure who I actually am.
Admit to defeat robin batman has had your lunch, again.
exactly they to do less tv shows and fix the problem at hand. amateur hour over there.
Feel free to use http://www.tweetizen.com – we offer a simple and quick web interface to check your tweets, create groups on twitter and we’re not effected by this nasty little worm.
When people ( like me ) are having problems with their twitter account Pallian decides to promote his website
LoL funny 
Got to hustle
But seriously, surfing your tweets on tweetizen is safe… and till twitter fixes it, keep track of everything mickeyy here: http://www.twee...m/trends/Mikeyy
Funny!
I just got hit by this message:
“Twitter, hire Mikeyy (718) 312-8131
”
Anyone want to take a chance at calling that number?
Wait – isn’t that Arrington’s number?
That’ll be the next 8675309
This isn’t good for Twitter as with the mainstream exposure this will make people wary of the service!
I have a hard time believing this didn’t compromise phone numbers or passwords. Technically, with XSS shouldn’t the script be able to open the prefs page in a hidden frame and retrieve a phone number and/or password?
this worm works the same way as StalkDaily and the “Don’t Click” worm. Twitter seem to apply a temporary patch which can still be exploited.
How hard is it to just go through the site and force all entered HTML to be escaped? Surely there are Ruby libraries that do this easily.
This appears to be Mickeyy as well – Googling him it would appear previously he hacked Stickam as well:
http://stickam.com/demon
After being hit with this little worm, total lock down for my account:( NO MORE FOLLOWERS
It’s freaking crazy mess for Twitter to fix.
I wonder how many devs are called from their sleep
I don’t get it, can’t they just htmlspecialchar() all input or output? .. How hard can it be? Or is more going on here?
Yeah – makes no sense to me. The 17 yr old Mickeyy’s making Twitter look like idiots.
they should just hire the kid and put an end to this quickly and let the PR team spin up a good story.
Hire him? The FBI should break down his fricking door and cart him to juvey, mewling and crying in the middle of the night.
Cart him off? What he’s doing clearly isn’t right, he could have emailed Twitter and let them know of the holes, but “cart him to juvey” and he’ll just turn into another black hat.
It’s easy to fix – you just escape all HTML at any place the user can enter text. I’m really surprised they haven’t done this yet – there aren’t many places on Twitter to do this.
May be an ignorant comment but does being a victim of this worm risk the security of your accounts on other sites?
I was okay on the updates page, but as soon as I went to the Settings page, I got hit.
This little dude pumped a document.write in the title textbox that kicks off a script using the usual img tag…
Thank godf I have a slow connection cos I managed to delete the title box, pump some random characters in, the hit save before the script kicked off… took me a dozen attempts though!
You realise that you’ve typoed Mikeyy in the title/url of this post?
argh, fixed, thanks.
Funny, even TechCrunch is open for XSS attacks.
What if some one posts some thing that makes 1836K Readers affect ALL at ONCE?
This is ridiculous and definitley not good for Twitter when it is advised that users not visit your website. Can’t be any good for attracting advertisers/buyers for any monetization plans. At what point do things like this start to really harm Twitter? How many times/ breaks does Twitter get? If this is 2 years ago, does Twitter survive? How about 1 year ago? Being known as "that service" whose website you should stay away from in fear of some worm is not good.
So many people use the service through the API/third parties and are therefore unaffected that Twitter would actually not be as affected as you would think. I rarely use the web interface for Twitter, not for this reason, but because I’m always on the go and use Tweetie instead. Twitter took off partically because of Twinkle (an iPhone twitter app) and the local feature… It’s only recently that twitter has received media attention and use, and therefore high visibility from the masses.
Yum code:
http://pastie.org/444836
I guess Twitter doesn’t have to fear much. They have critical mass of early adopters and main stream media is plugging in. Every service has bugs and patches.
arent they running on RoR? <?=h ?> ? Pattern match in your templates for <?= at each stop ask yourself.. Where did I get this info? Still a Ruby/Rails noob but still I think that generally is the way…
Is it fixed yet?
Is it the end of twitter ?
This incident clearly shows that the Twitter “platform” isn’t built for prime time. I don’t think they expected this level of success this quickly. They seem to be keeping it up by putting bandaids everywhere. Could this be the straw that breaks their back?
I posted this on my blog but here’s vulnerability points i’ve seen from testing:
1. twitter.com/infecteduser
2. twitter.com/infecteduser/followers
3. twitter.com/infecteduser/friends
4. twitter.com/infecteduser/status/any-status-id
5. twitter.com/yourpage/followers?page=any-page (if you are followed by an infected user on that page, with or without “?page=number”)
6. twitter.com/yourpage/friends?page=any-page (if you are following an infected user on that page, with or without “?page=number”)
And if you are already infected and trying to fix it
7. twitter.com/account/settings
twitter appears to have stopped the worm from spreading from points: 1, 5, 6.
2, 3, 4, 7 appear to still be vulnerable.
Blog post on how to protect yourself in case you were effected by the Mikeyy worm: http://www.pallian.com
I think the problem has been fixed – Twitter escapes characters in profile title – and the Javascript file with the payload is showing 404.
Twitter believe it has the situation under control, see update in post for more info.
For how many times have they believed this already? Must be the zillionth time or so. Twitter’s tech team is lame, lame, lame.
In other words: What Twitter believes isn’t relevant. Relevant is the reality only.
I’d like to point out that it was also setting the protected updates setting to off for those affected by it. This has more implications than any of the other stuff it was doing.
oh damn!
Why would changing your bio, URL and hex color help protect you from this?
George
“I would also recommend to take further precautions, like disabling Javascript in your browser, clear your cache and cookies and maybe even change your password, even if Twitter has previously informed users that no passwords, phone numbers or other sensitive information were compromised as part of this renewed attack.”
How about NOT using Twitter at all.
More info I think is here:
http://adjix.com/af5t
I think Its time to call Sarah Palin!
Need to shoot someone this time for this all twitter mess..
(I don’t have gun license)
i can do it
Do us all a favor and just aim that at yourselves.
Twitter creates an acceptance of tiny URLs which is great for virus/trojan writers.
Honestly, does anyone use the Twitter site itself much anymore? The third-party apps out there are much more robust.
“I would also recommend to take further precautions, like disabling Javascript in your browser”
“Granted, having unwanted messages posted to your account is more of an annoyance than a genuine security risk”
so which is it? is the sky falling, or is it just a few bad text messages? it seems like you would like to overreact (and have), but inside you know its just a few text messages. oh, twitter.
Not good for the Twitter community. it will just aggravate users and so they will turn on Twitter and go and use other micro-blogging services such as Identica, Facebook, Myspace which they probably already do use!
If you’ve been watching the Twitter news this weekend you have seen @judyrey Tweeting and being RT’s frequently. I’ve been helping people stay safe in this attack, just as I did in the phishing attack in Jan. ‘09.
This attack has strong similarities to that attack or as later reported, attacks. No one was ever apprehended.
Due to this, I’ve bee predicting, with a sad accuracy Mikey Mooney’s next moves.
The fullest most up to date info for how to stay safe, steps to take to remove the worms, and about what is happening remains at my own blog — which is usually about art– at http://ungravenimage.com/blog
I have updated it with new posts Twice this weekend and will do so again soon.
I am using my blog as it is a fairly short URL, easy to update. Shortened, tiny URLs are very risky to click on during any attack on Twitter. As I predicted yesterday, Mikey Mooney is now using links.
Follow me, as I am here to help you! I’m not a Social Media expert, Techie, or developer. I’m an artist and founder of a new theory of Post Conceptual art that transforms the way we actually see the world. So, I’m not benefiting from helping — but just doing what artists do, helping the community,
Thanks & stay safe!
Judy Rey Wasserman
@judyrey
This is what happens when you use Ruby on Rails.
This is what happens when you *misuse* .
Of course they could have avoided this by coding the website correctly now they only have to solve it.
http://stdout.mybrute.com
The person(s) responsible for the attacks are committing an offense which is punishable by imprisonment. Have they thought of that?
We copy you X-14, over.
Check the Google employee list – see if someone named Mikeyy is currently an employee.
I smell devaluation!!
I don’t know why this is surprising anyone; hackers and spam are a part of the internet. No website is safe from hackers. They will always find a way to get at even the “most secure” websites. Quit your complaining, or go back to your typewriters. (;
The Church Lady has grandchildren and we are being PWNED. Ah, youth. Excuse me while I debug my Cheerios.
I need to because I can’t type my own tag correctly. Durned Rumatizz!
If Mikeyy really is a 17 year old kid, I feel sorry for him when his parents get hold of him. Can you imagine the media frenzy outside this guys house right about now…
If there is no frenzy, then this is probably an attack by a group on professional hackers…I dont see a kid continuing with this kind of thing once hes been found out….with the prospect of cops, FBI, lawyers, parents and who knows who else beating down his bedroom door.
Question is, is the the first time its happened, or just the first time its been noticed. Are our pc’s compromised? Do I need to change all my website passwords etc, in case rootkits have been installed?
Turn off the tv genius. Nobody cares about these pranks except techcrunch and you. Twitter is a play toy. By the way, I hear that tc is changing its name to twittercrunch.
it was only mikeyy who did it, i know him and know his capabilities. hes hacked mtv.com before, tons of stickam accounts/lives/chatrooms. nothing new.
and btw, mikeyy mooney isnt employed, yet.
Refrain from clicking the links that are shared in twitter, directly from the Twitter website. Instead, use one of the URL trackers like http://www.boilingpage.com, my favorite, that shows the hottest pages on the web based on how popular they are in twitter.
This worm is one of the best things to happen for Twitter. It will only improve the security on Twitter. As for Mikey Y, they will arrest him. It is a shame, hopefully Twitter will not ruin his future.
I think the worse is yet to come…
Is this really such a big deal to users? He’s not using it for malicious purposes, and it’s Twitter’s own fucking fault that it’s repeatedly happening. They need to get off their asses and fix it.