The micro-blogger Twitter has been clobbered by a number of XSS attacks that placed unwanted messages on users' profiles.
The "Mikeyy" worm spreads the infection when Twitter users click onto an infected page from a tweet from an infected user. That users then tweets other users.
Reports have said the 17-year-old script kiddey creator of the StalkDaily site named Michael "Mikeyy" Mooney admitted creating the virus attack "out of boredom."
From ComputerWorld
Somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile.
What's particularly dangerous is that this worm generated tweets which tricked other users to click onto its links, because they come from what seem to be reliable sources such as friends and family members.
In this case, the messages were fairly innocuous and were used to drive traffic ... However, what if the URL was linked to MORE malicious code?
Havent we been here before with emails and IM Clients. Why are we, or in this case, Twitter, not learning lessons of the past.
Even if this is not the end of Twitter, it will certainly be the beginning of the rise of the 3rd party clients, as everyone, even the basic users, look for more secure ways of getting their Twitter fix...
No comments:
Post a Comment