Twitter was hit with at least three different worm attacks that started Saturday and continued into Sunday, the micro-blogging service acknowledged as it promised users it would review its coding practices.
Michael “Mikeyy” Mooney, the 17-year-old creator of the StalkDaily Twitter-copycat site, has admitted creating the worms.
“At about 2 a.m. on Saturday, four accounts were created that began spreading a worm on Twitter,” company co-founder Biz Stone announced in a blog entry Sunday. “From 7:30 a.m. until 11 a.m. PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts.”
That worm, which was widely reported on Saturday and dubbed “StalkDaily,” exploited a cross-site scripting vulnerability in the Twitter service to infect user profiles. The original attack relied on tweets that referred to several malicious accounts allegedly created by Mooney; when users viewed those accounts’ profiles, their own profiles became infected, and their accounts then sent more spam-style messages to entice friends to the just-infected profiles.
Those messages promoted the StalkDaily site with tweets such as “I love www.StalkDaily.com” and “Dude, www.StalkDaily.com is awesome. What’s the fuss?”
The second attack, which Twitter said affected about 100 different accounts, occurred later Saturday, and the third began Sunday. All three were exploiting cross-site scripting bugs in the service.
“All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm,” Stones said in his blog post.
Sunday’s worm, which was pegged as “Mikeyy” because the tweets it forced infected accounts to send included “Mikeyy I am done…” and “Man, Twitter can’t fix sh*t. Mikeyy owns,” was also set loose by Mooney, according to an interview conducted with him earlier today by Net News Daily.
When asked why he created the StalkDaily worm, Mooney said, “Out of boredom. It was the middle of the night and I had nothing else better to do.”
Also in the interview, Mooney both dismissed his actions and said he knew the attacks could land him in trouble. “I feel pretty bad about it, but it’s not me that left the vulnerability out in the open,” he said, then later added, “I’m not worried, though. I know that it could land me in jail.”
On the StalkDaily Web site, Mooney posted a short message that read: “I have came clean and have accepted the responsibility for the worm.”
Twitter was not available for comment Sunday to answer questions about whether it had, or would contact law enforcement officials.
One security company warned that the attacks may not be over. “There’s going to be quite a few modified Twitter worms for a day or two,” predicted Mikko Hypponen, chief research officer at F-Secure Corp., on his company’s Web site. “Be careful in Twitter, don’t view profiles, don’t follow links.”
Hypponen also noted that the attacks rely on JavaScript, and that users can protect themselves further by disabling JavaScript in their browsers.