Twitter Gets Slammed By the StalkDaily XSS Worm 145
CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."
Would you trust StalkDaily? (Score:5, Insightful)
Seriously, would you? The developer admits to infecting people's computers and accounts in order to advertise his services, and doesn't think he did anything wrong. How can anyone trust his services then?
For starters he should be forced to take down StalkDaily. I'm sure Tweeter lawyers are looking into this right now. And for once, I agree with such a move. /not a tweeter user
Re:Clearly he should be made to (Score:2, Insightful)
There are no infected PC's. The only thing 'infected' was people's twitter statuses, and now that the exploit was patched, there is no virus, since the code was executed by the server, not by the individual computer.
This sounds pretty harmless.
Re:author found. Now what? (Score:5, Insightful)
Re:Ummmm (Score:2, Insightful)
Why should he be held responsible? The XSS is just plaintext code. It has no meaning unless someone executes it.
Could the same not be argued about malicious/annoying scripting language code, or any interpreted code for that matter?
If TPB can't be held responsible for simply providing links to illegal downloads, surely this kid shouldn't be held responsible for writing up some XML style sheets.
Maybe its just me, but I think that depending on what country you are in the laws for what you are responsible for change quite a bit.
Re:Would you trust StalkDaily? (Score:4, Insightful)
Two issues with your post:
One, the dev did not infect anyone's computers. He wrote a small program, on the site, that would update the profile of anybody who saw one of the spam comments. For example, you visit a friend's page who has one of these comments (and therefore the code) and your profile is updated with a comment (and the code). The only "infection" was on the site, not the end users. Also, no accounts were hacked. Simply a case of instructing the visitor's browser to slyly update the visitor's status while looking at a different page. TFA states that there were no passwords, usernames, or anything else in the code.
Two, it's twitter.
Re:To hire or to jail, that is the question (Score:5, Insightful)
Re:Bit obvious (Score:2, Insightful)
Actually, we had a meeting where we agreed that ToS's are by nature BS. We didn't invite anyone over 30, so I don't know if you missed the memo or just weren't invited.
Sounds Like A Publicity Stunt (Score:4, Insightful)
FTA:
StalkDaily.com is similar in design and features to Twitter. In addition to the features of Twitter, it also allows users to upload videos and photos. Through looking at the code behind Twitter, Mikeyy was able to produce a similar site to Twitter with some additional features. "I used my past knowledge to gain an insight on how Twitter worked and outputted to a user. Although both of the sites are coded in different languages I was able to give my site the same features as Twitter, while coding some of my own."
It sounds to me like the kid was trying to promote his Twitter knockoff site, but for some reason felt the need to do so by poking a stick in Twitter's eye. Makes me think the whole thing was a juvenile cry for attention. I knew a kid like that in high school. He was smart as could be but would do anything, no matter how socially unacceptable, to get attention.
I think the kid needs counseling and guidance and not a jail sentence.
Re:NoScript? (Score:3, Insightful)
You're not ignorant. You're right. In addition, recent Firefox browsers have built-in XSS blocking.
Re:throw the scumbag in jail (Score:1, Insightful)
Samy is my hero (Score:3, Insightful)
Re:To hire or to jail, that is the question (Score:5, Insightful)
I say anything that slows down the spread of those fucking annoying twitter people is a good thing and he should be awarded a medal.
Tweet this, bitch.
Re:author found. Now what? (Score:3, Insightful)
âoeI am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.â
Every inch of this quotation just makes you want to beat the kid. I bet he has an annoying voice, too.
Re:NoScript? (Score:3, Insightful)
Yeah right! Every time some vi comes up, people start holding NoScript as a panacea. I use NoScript so I am aware of its advantages. But it's not a cure-all. There are so many sites (twitter in this case) which simply do not work without Javascript being enabled. So most of the NoScript users who use twitter through a browser will have Javascript enabled - by white listing it in NoScript. So, no sorry, NoScript is not a protection against this one.