Twitter suffers Easter weekend problems

by Steve Ragan - Apr 13 2009, 16:20

Over the holiday weekend, a 17-year-old thought he would promote his site by using Cross-Site Scripting (XSS) to force visitors into tweeting comments about the site and links directly to it. Shortly after that stunt, he used a different XSS attack to launch a second round of non-malicious, but seriously annoying, posts.

“The worm introduced to Twitter this weekend was similar to the famous Samy worm which spread across the popular MySpace social-networking site a while back,” Twitter said in a blog post on the issue. In regards to pressing charges against the author, Michael Mooney, Twitter said, “Twitter takes security very seriously and we will be following up on all fronts.”

In an online interview with Net News Daily, Mooney said he launched the XSS out of boredom. “It was the middle of the night and I had nothing else better to do. I noticed the XSS vulnerability about a week back and decided to fiddle with it.”

He also mentioned that he felt bad about doing what he did in hindsight. “I feel pretty bad about it, but it’s not me that left the vulnerability out in the open. I could be storing their data for bad, yet I am just posting data from their account which will quickly address Twitter that something is wrong. Though if no one were to do something, quickly, someone else could something like me but store data, such as their email, name, mobile number and use it for future spamming.”

The website being promoted in the first wave of junk tweets was StalkDaily.com, which is now offline according to a post from Mooney. The site is similar to the popular micro-blogging service Twitter offers he said, but offers additional features. Be that as it may, thanks to his stunt the site is likely never to see any traffic or users.

The second XSS wave hit late into the weekend, this time the posts were touting Mooney himself with phrases such as, “Man, Twitter can’t fix shit. Mikeyy owns. :)” or “Dude! Mikeyy! Seriously? Haha. ;)”.

It is important to note the issues on Twitter this weekend could have been malicious yes, but in reality all they were was an attempt to bring security issues to the attention of the coders at Twitter. Mooney simply used the public demonstration of Twitter flaws to promote his site and “greatness”. Moreover, no account information was compromised. This is confirmed by Twitter and Mooney himself.

Most of the early reports just assumed the worst and advised as such. In cases such as this, that was the right move to make.

Twitter is still investigating the issue they said.

“We are still reviewing all the details, cleaning up, and we remain on alert. Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future. We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered.”

Twitter has had similar issues in the past. However, none of the demonstrated attack vectors used promotion or ego as blatantly as Mooney did. 

The Tech Herald: Twitter account hijackings raise concerns over account protection

The Tech Herald: Twitter’s Clickjacking fix broken – then quickly fixed again

The Tech Herald: Twitter hit by account hijacking attack - 750 accounts confirmed compromised

The Tech Herald: Twitter faces another attack – XSS vulnerability discovered

Around the Web