Twitter Gets Slammed By the StalkDaily XSS Worm 145
CurtMonash writes "Twitter was hit Saturday by a worm that caused victims' accounts to tweet favorably about the StalkDaily website. Infection occurred when one went to the profile page of a compromised account, and was largely spread by the kind of follower spam more commonly used by multi-level marketers. Apparently the worm was an XSS attack, exploiting a vulnerability created in a recent Twitter update that introduced support for OAuth, and it was created by the 17-year-old owner of the StalkDaily website. More information can be found in the comment thread to a Network World post I put up detailing the attack, or in the post itself. By evening, Twitter claimed to have closed the security hole."
Bit obvious (Score:5, Interesting)
Comment removed (Score:2, Interesting)
Re:Ummmm (Score:1, Interesting)
Why should he be held responsible? The XSS is just plaintext code. It has no meaning unless someone executes it.
If TPB can't be held responsible for simply providing links to illegal downloads, surely this kid shouldn't be held responsible for writing up some XML style sheets.
Re:To hire or to jail, that is the question (Score:1, Interesting)
Those aren't mutually exclusive. Convict him in juve or even adult court, the damage was minimal so give him a suspended sentence plus probation. As part of his probation require him to continue his education &/or participate in legal work activities. As part of his sentence have him forfeit his domain name as the fruits of a criminal enterprise.
However, remember one thing. This is the age where there are almost unlimited legal, productive outlets for young programmers and computer enthusiasts. This kid chose a "blackhat" route. He did so for his own pecuniary gain. These aren't signs of someone just mistakenly screwing around. There's always hope for reform, but don't paint this kid out to be one of the good ones who just stumbled - he's not.
I saw this. (Score:3, Interesting)
One of the Japanese people I followed suddenly tweeted a couple lines in English about StalkDaily and I was like 'wtf?' At least now I know it wasn't them.
Re:Would you trust StalkDaily? (Score:2, Interesting)
A Malwarebytes scan comes up with three instances of malware. One is the Seneka rootkit (ouch!).
Also according to the code and analysis posted on TFA showed that the script was ran on the client side, i.e. the user's computer, that exploited an XSS exploit on Twitter's website.
I think that satisfies the definition of a Black-Hat Hack & Infecting users' PCs.
Re:Clearly he should be made to (Score:3, Interesting)
It was XSS; the idea is that an attacker puts his JavaScript code on a page belonging to someone else. When a victim views the page, their client executes the JavaScript.
Now, in this case, we got lucky: this guy didn't try to exploit browser vulns or anything of the sort. What if, though, this thing had come to the attention of, say, a botnet operator? Combined with a browser vulnerability (the sort found at CanSecWest, for example), the botnet operator could easily have gotten several thousand more systems under his control very quickly. In fact, XSS holes are presently being used to inject malware on otherwise clean websites all the time -- the difference here is simply the visibility of Twitter as compared to most websites.
This was harmless, but it may not have been.
Re:Bit obvious (Score:1, Interesting)
Don't worry. Twitter has millions in the bank, and lawyers to hand. This little shit will be sued into oblivion and be flipping your burgers.