I was away for the weekend attending PragueCrunch (more on that later), so I missed most of the conversation about Mikeyy, the Twitter worm that’s been plaguing the micro-sharing service for the last couple of days. And just as I was reading up on it, it seems like a fourth attack is being carried out as I’m writing this. That means that Twitter has not yet fully fixed the issue that arose during the weekend, and the messages Mikeyy is posting reflect that:
How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1s
This worm is getting out of hand Twitter. – Mikeyy
Twitter, your community is going to be mad at you… – Mikeyy
Update: at 3:40 am PST, Twitter posted a message saying that they believe the situation is now under control, and that they’ll continue to monitor Mikeyy.
Users are being advised to refrain from using the web version and use third-party apps instead, as well as to be careful when clicking links. Other steps that should be taken are changing your bio, URL and change / reset your hex color.
I would also recommend to take further precautions, like disabling Javascript in your browser, clear your cache and cookies and maybe even change your password, even if Twitter has previously informed users that no passwords, phone numbers or other sensitive information were compromised as part of this renewed attack.
You can keep track of Twitter’s Status blog and @spam account for updates.
I can only imagine how much damage this is doing to the startup’s reputation, and how the community will react to this new round of attacks when word gets out en masse. Granted, having unwanted messages posted to your account is more of an annoyance than a genuine security risk, but this is clearly severely impacting the way people look at and use the service now, particularly those who use Twitter for commercial reasons.
Sad.
It’s sad that twitter thinks validating html forms and sanitizing malicious code is hard. Reading their blog you’d think they were protecting an operating system. What a joke.
“lame, lamer, the twittest”
I love it when a kid stirs sh!t up. I know it’s a pain in the ass, but hacking of this kind is good for the security of the interwebs in general. It exposes flaws in the specific app, and scares the crap out of other site admins that should be safeguarding against stuff like this.
Mikeyy…you’re walking a fine line and will probably end up facing some seriously angry Feds, but if they offer you a gig at the NSA or CIA please take it. We need you and other like you to safeguard our systems!!
Yeah, and tuberculosis is good for building our immune systems. What a crock of shit, this line of reasoning.
Paul, that is the dumbest analogy I’ve ever read.
It’s a cross site scripting attack, about the simplest hack known to man, and your suggesting the CIA hire this kid?
It does not show the kid’s got a hacking gift, only that Twitter are completely incomptent.
There’s evidence that lack of modern parasites is the cause of autoimmune disorders. So a disease not quite as extreme as tuberculosis could indeed help build our immune systems.
twitter only needs to sanitize its data.
mysql_real_escape_string
They must have spaghetti code, if they can’t sanitize user input, before querying the db.
O’reilly taught me this. Come on twitter. Spend 19.99 out of your 40 million, and read the php cookbook.
err.. unless twitter was programmed in rails, then I just look foolish.
The problem should be solved soon..
Hope this Would Be HelpFul for you Guys – How to get rid of Mikeyy worm in Twitter? http://www.thewwwblog.com/how-to-get-rid-of-mikeyy-worm-in-twitter.html
Yeah that’s really a sad news. I think Twitter really needs to Clean their system again. Twitter please schedule a maintenance period for it; we won’t deny it.
http://www.smartbloggerz.com
Sad? It actually validates the medium.
Anything worth looking at throughout history is always worth:
a) spamming
b) propagating viruses
If Twitter didn’t meet those tests, it would surely die.
$55 million in funding and you cant fix some XSS holes?
I don’t know why this is surprising people. Twitter has long showed technical incompetence. The service isn’t practical, is implemented poorly, and will not be able to generate revenue. The only reason it gets press is because of the founders. Ridiculous. The entire tech community should be held accountable for inflating this piece of junk.
You tell ‘em! In a couple of years, the world will look back and say anon was right about everything … I can hear them now: “if only we had listened to anon, the world would be a better place. We should get anon a statue and his own national holiday.”
LOL. good one
Let’s face it, you don’t understand any of the technical bits of this issue anyhow.
It’s easy to be cute on your own blog, but if you know anything about web security, you’ll realize this is a very trivial issue to solve. It’s like not salting and hashing passwords in a database.
God will someone fire Robin?
And a free pad, booze, broads, blow plus an Xbox. Let them drive a Hyundai though.
Karan, I realize that very well, but I can’t understand why someone goes through the trouble of hiding under anonymity when they actually have something sensible to say. Anon is particularly good at that.
Yakov, thanks for bashing me non-anonymously, now at least I know it’s coming from someone running a questionable business.
Robin,
Simply put, the reason I remain anonymous is to protect my identity and my future opportunities in the web industry and business community in general. The comments I leave on TC tend to be quite harsh, are written in a stream of consciousness manner, and don’t necessarily originate from a rational place. As I’m sure you know, the web turns over quite rapidly, and the company you are bashing today could be the same one offering you a sweet employment package tomorrow. The permanence of the web is real, so if there is an option to remain anonymous, I choose it.
In addition, the editorial on TC tends to come from a biased viewpoint that makes me uncomfortable as a reader (this article does not apply). I enjoy playing devil’s advocate to both expose this bias, and to continue the conversation. The dogmatic nature of traditional journalism will die with print, leaving the Socratic Method free to evolve on the internet.
When searching for truth, what is said should always carry more weight than who it is said by. I am anon. I am everyone and I am no one.
So wait, Yakov’s DomainSponsor is questionable, yet your boss was in very much the same business a few years ago. Arrington was CEO of pool.com, who sell backordered domains, which is what people use to buy domains to put on DomainSponsor, or to hold ransom to the people that let them expire.
What does that say about you Robin? Get off your high horse.
Love, mom.
By default all comments on TC are anonymous.Just because I type in a realistic name into the name fielddoesn’t really assure who I actually am.
Admit to defeat robin batman has had your lunch, again.
exactly they to do less tv shows and fix the problem at hand. amateur hour over there.
Feel free to use http://www.tweetizen.com – we offer a simple and quick web interface to check your tweets, create groups on twitter and we’re not effected by this nasty little worm.
When people ( like me ) are having problems with their twitter account Pallian decides to promote his website
LoL funny 
Got to hustle
But seriously, surfing your tweets on tweetizen is safe… and till twitter fixes it, keep track of everything mickeyy here: http://www.tweetizen.com/trends/Mikeyy
Funny!
I just got hit by this message:
“Twitter, hire Mikeyy (718) 312-8131
”
Anyone want to take a chance at calling that number?
Wait – isn’t that Arrington’s number?
That’ll be the next 8675309
This isn’t good for Twitter as with the mainstream exposure this will make people wary of the service!
I have a hard time believing this didn’t compromise phone numbers or passwords. Technically, with XSS shouldn’t the script be able to open the prefs page in a hidden frame and retrieve a phone number and/or password?
this worm works the same way as StalkDaily and the “Don’t Click” worm. Twitter seem to apply a temporary patch which can still be exploited.
How hard is it to just go through the site and force all entered HTML to be escaped? Surely there are Ruby libraries that do this easily.
This appears to be Mickeyy as well – Googling him it would appear previously he hacked Stickam as well:
http://stickam.com/demon
After being hit with this little worm, total lock down for my account:( NO MORE FOLLOWERS
It’s freaking crazy mess for Twitter to fix.
I wonder how many devs are called from their sleep
I don’t get it, can’t they just htmlspecialchar() all input or output? .. How hard can it be? Or is more going on here?
Yeah – makes no sense to me. The 17 yr old Mickeyy’s making Twitter look like idiots.
they should just hire the kid and put an end to this quickly and let the PR team spin up a good story.
Hire him? The FBI should break down his fricking door and cart him to juvey, mewling and crying in the middle of the night.
Cart him off? What he’s doing clearly isn’t right, he could have emailed Twitter and let them know of the holes, but “cart him to juvey” and he’ll just turn into another black hat.
It’s easy to fix – you just escape all HTML at any place the user can enter text. I’m really surprised they haven’t done this yet – there aren’t many places on Twitter to do this.
May be an ignorant comment but does being a victim of this worm risk the security of your accounts on other sites?
I was okay on the updates page, but as soon as I went to the Settings page, I got hit.
This little dude pumped a document.write in the title textbox that kicks off a script using the usual img tag…
Thank godf I have a slow connection cos I managed to delete the title box, pump some random characters in, the hit save before the script kicked off… took me a dozen attempts though!
You realise that you’ve typoed Mikeyy in the title/url of this post?
argh, fixed, thanks.
Funny, even TechCrunch is open for XSS attacks.
What if some one posts some thing that makes 1836K Readers affect ALL at ONCE?
This is ridiculous and definitley not good for Twitter when it is advised that users not visit your website. Can’t be any good for attracting advertisers/buyers for any monetization plans. At what point do things like this start to really harm Twitter? How many times/ breaks does Twitter get? If this is 2 years ago, does Twitter survive? How about 1 year ago? Being known as "that service" whose website you should stay away from in fear of some worm is not good.
So many people use the service through the API/third parties and are therefore unaffected that Twitter would actually not be as affected as you would think. I rarely use the web interface for Twitter, not for this reason, but because I’m always on the go and use Tweetie instead. Twitter took off partically because of Twinkle (an iPhone twitter app) and the local feature… It’s only recently that twitter has received media attention and use, and therefore high visibility from the masses.
Yum code:
http://pastie.org/444836
I guess Twitter doesn’t have to fear much. They have critical mass of early adopters and main stream media is plugging in. Every service has bugs and patches.
arent they running on RoR? <?=h ?> ? Pattern match in your templates for <?= at each stop ask yourself.. Where did I get this info? Still a Ruby/Rails noob but still I think that generally is the way…
Is it fixed yet?
Is it the end of twitter ?
This incident clearly shows that the Twitter “platform” isn’t built for prime time. I don’t think they expected this level of success this quickly. They seem to be keeping it up by putting bandaids everywhere. Could this be the straw that breaks their back?
I posted this on my blog but here’s vulnerability points i’ve seen from testing:
1. twitter.com/infecteduser
2. twitter.com/infecteduser/followers
3. twitter.com/infecteduser/friends
4. twitter.com/infecteduser/status/any-status-id
5. twitter.com/yourpage/followers?page=any-page (if you are followed by an infected user on that page, with or without “?page=number”)
6. twitter.com/yourpage/friends?page=any-page (if you are following an infected user on that page, with or without “?page=number”)
And if you are already infected and trying to fix it
7. twitter.com/account/settings
twitter appears to have stopped the worm from spreading from points: 1, 5, 6.
2, 3, 4, 7 appear to still be vulnerable.
Blog post on how to protect yourself in case you were effected by the Mikeyy worm: http://www.pallian.com
I think the problem has been fixed – Twitter escapes characters in profile title – and the Javascript file with the payload is showing 404.
Twitter believe it has the situation under control, see update in post for more info.
For how many times have they believed this already? Must be the zillionth time or so. Twitter’s tech team is lame, lame, lame.
In other words: What Twitter believes isn’t relevant. Relevant is the reality only.
I’d like to point out that it was also setting the protected updates setting to off for those affected by it. This has more implications than any of the other stuff it was doing.
oh damn!
Why would changing your bio, URL and hex color help protect you from this?
George