The service's staff has trouble keeping up with all the XSS weaknesses

Apr 14, 2009 10:39 GMT  ·  By
Twitter administration has trouble securing the micro blogging platform from XSS attacks
   Twitter administration has trouble securing the micro blogging platform from XSS attacks

Late on Saturday and Monday, the increasingly popular micro-blogging platform Twitter faced the e-wrath of Mikeyy again. A new worm released by the teenager affected its users, who unwillingly began to post new rogue messages on their profiles.

During this past weekend, the Twitter staff fought a cat-and-mouse game with Mikeyy Mooney, a 17-year-old Web programmer, who discovered several cross-site scripting flaws affecting the service. In an interview for an online publication, Mikeyy admitted to the attacks and attributed them to boredom.

By exploiting the XSS flaws that he identified while inspecting Twitter's source code in order to create his own similar service, the teenager succeeded in launching worm-like attacks. The intriguing code was causing users who were visiting compromised profiles to be infected themselves and propagate the malicious messages.

In total, three waves of attacks were acknowledged by Twitter Co-Founder Biz Stone on the company's blog. The service's staff had to temporarily suspend and reset passwords on hundreds of accounts, as well as clean over 10,000 abusive tweets (messages posted on Twitter).

Each incident was followed by assurances from the management that the exploited cross-site scripting vulnerabilities had been patched. "Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future," Mr. Stone noted.

This forth wave of attacks mocked Twitter security and the efforts of the admins working around the clock to keep up with them. Some of the messages read, "Twitter, hire Mikeyy!," followed by what some journalists confirmed to be the teenager's real phone number.

Others promoted a short URL, which allegedly had cleaning instructions for the worm. However, it was only meant to further propagate it, because clicking on the link redirected users to a compromised profile, causing theirs to be affected as well.

Twitter confirmed this new attack and pointed out that it had been dealt with, but Graham Cluley, senior technology consultant at anti-virus vendor Sophos, is not so convinced. "What's most alarming to me, though, is that it seems Twitter was caught with its pants down in the aftermath of all of these attacks. To be hit by one cross-site scripting worm may be regarded as a misfortune, to be struck three or four times over a weekend looks like carelessness," the security researcher writes.