Sick BirdEverybody heard the tweets: after several other security issues, including “exotic” ones like Clickjacking or JSON hijacking, Twitter is in serious troubles again, this time with an old-school XSS worm which quickly managed to infect many users profiles and is still spreading in multiple variants.

This plague is the brainchild of a 17 years old named Mikeyy, who created it as a publicity stunt to promote his own Twitter clone, StalkDaily.com. A good technical description of its rather simple inner workings has been kindly provided by Damon Cortesi. As you can see, unless the mikeyylolz.uuuq.com doman is allowed to run JavaScript (very unlikely for NoScript users) you’re immune from infection.

This worm having been active so long is quite a surprise to me, since the exploited vulnerability (missing output encoding on users’ profile web page URL) requires less than one minute to be fixed, if you know what you’re doing. The existence of a mildly obfuscated version authorizes a scary suspect: have Twitter guys just been trying to block the original strain by signature, rather than fixing their website error? This is would be ridiculous*, since any script kiddie can create his own slightly modified version for fun or profit (and is probably doing that). And while the initial code just logs your session cookie on a remote server (which is already bad enough) and replicates itself as spam, nothing restrains a more malicious attacker from taking over your account with all its profile data right away.

The morale of this story? Never tweet without NoScript.

* Update

Ridicolous, but apparently true: in Twitter’s first hand account of the countermeasures taken over the weekend, there’s a lot of “cleaning up and locking down profiles”, but nothing about fixing the website’s bugs which allow infections like this to be spread.

15 Responses to “Mikeyy’s StalkDaily Twitter Worm vs NoScript”

  1. #1 duryodhan says:

    So I am a noob to XSS etc. , but am I wrong in thinking that :

    1. Twitter didn’t have basic injection protection for its user’s homepage field ? (basic stuff like filter out the html tags etc. ?)

    2. Then when they figured out they were having a bad day , they just decided to block the script behaviour (based on its signature ) — NOT fix the filtering ???

    This is what I am understanding after reading up .. and I can’t believe it!

  2. #2 Giorgio says:

    @duryodhan:
    You’re surely correct on #1, and probably correct on #2 (that’s the suspect I talk about in my post).
    If #2 wasn’t at least partially true, an attacker wouldn’t bother with obfuscating his code on subsequent attacks (I read of 3 waves so far after Twitter devs announced they were taking care of the problem)…

  3. #3 John T. says:

    @duryodhan:

    The profile fields were only open to injection a few days ago. I know this because I tested them for XSS issues a week ago and the three used by the worm didn’t exist then. Someone at Twitter fucked up and deployed some bad code.

  4. #4 Giorgio says:

    @duryodhan, John T.:
    I’ve updated my post to reflect what I read on Twitter’s blog: yes, they don’t know what they’re doing.

  5. #5 therube says:

    [quote]unless the [b]mikeyylolz.uuuq.com doman[/b] is allowed to run JavaScript (very unlikely for NoScript users) you’re immune from infection
    [/quote]

    That may be a bit overextended statement.

    Going on the assumption that the majority of NoScript users have (the default) ‘Base 2nd level Domains’ enabled, then [i]if[/i] they happened to have uuuq.com whitelisted (not necessarily mikeyylolz.uuuq.com), then they would be vulnerable.

    Now after Googling for site:uuuq.com & trying a good number of links, I found that they all turned up dead. Obviously not all will be dead, mikeyylolz was there for some period of time, but one might surmise that the vast majority of users would not have even uuuq.com whitelisted, & so they would be protected.

  6. #6 GµårÐïåñ says:

    Well as I always say, stop chasing fads, use common sense, and try to take a pessimistic approach to the web and protect yourself proactively. Always knew NoScript rocks, now the proof is in the pudding :)

  7. #7 Tom T. says:

    therube wrote:

    "Going on the assumption that the majority of NoScript users have (the default) ‘Base 2nd level Domains’ enabled,"

    Ever since the decision to default to full lockdown of ClearClick protection (trusted and un-), I had assumed that full lockdown was the default on all. We are telling people, "Everything is blacklisted by default". I’ve always run that way.
    http://img21.imageshack.us/img21/884/nslockdown.png
    If *any* levels of domains are allowed by default, perhaps that decision should be reconsidered, or we should warn people and amend the FAQ, Beginner’s Guide, etc. accordingly.

  8. #8 Zero Day mobile edition says:

    […] campaigns. With the proof of concept code for both of the worms now publicly available, and with NoScript’s creator Giorgio Maone logical conclusion that Twitter may have in fact not taken care of the XSS flaw as the second variant launched by a […]

  9. #9 Giorgio says:

    @Tom T.:
    I believe there’s a little misunderstanding here. What therube means, I guess, is that most NoScript users keep the default (medium lockdown) configuration, i.e. they’ve got “Base 2nd level Domains” checked in the Appearance options. This doesn’t mean they’ve got anything allowed by default, this just means that when they popup NoScript’s menu they can see 2nd level domains (like uuuq.com) rather than full domains (mikeyy.uuuq.com. However it’s just as unlikely that any NoScript user has uuuq.com in his/her (permanent) whitelist.

  10. #10 Web worm infetta Twitter: di cosa si tratta? - Appunti Digitali says:

    […] le raccomandazioni sono sempre le stesse: tenere sempre la guardia alta e usare plugins come NoScript. Gli sviluppatori web, dal canto loro, dovrebbero seguire con cura le linee guida indicate da OWASP […]

  11. #11 duryodhan says:

    Hmm .. he does raise a good point though… is there any way to host a js on Google.com / Yahoo.com etc. subdomain?

    Any particular use cases why "Base 2nd level domains" is the default?

  12. #12 Giorgio says:

    @duryodhan:
    for the sake of usability. NoScript is aimed to the average user, despite some dissenting voices, and you need to draw the line somewhere: on some sites the number of menu items is already overwhelming by default, and the choice can be hard and time consuming.

    However most tech savvy users do understand this issue and switch “Full domains” or “Full address” view (I use the former, and I guess therube does as well).

  13. #13 Tom T. says:

    #9 Giorgio says:
    April 14th, 2009 at 12:18 pm

    @Tom T.:
    I believe there’s a little misunderstanding here. What therube means, I guess, is that most NoScript users keep the default (medium lockdown) configuration, i.e. they’ve got “Base 2nd level Domains” checked in the Appearance options…

    #12:
    However most tech savvy users do understand this issue and switch “Full domains” or “Full address” view (I use the former, and I guess therube does as well)

    Yes, my misunderstanding. I assumed therube was referring to the General tab, "Temp Allow … by default" (Full, Base 2nd, etc.), rather than the Appearance tab. FWIW, I do have "Full address" view selected there. Thanks for clearing up my misunderstanding.

  14. #14 Jake Kasprzak Online › The Twitter XSS Worm and Lessons That Can Be Learned From It says:

    […] here, is a modified yet non-obfuscated version of the source code used by the original worm. As Giorgio Maone said, it appeared as if those trying to correct this issue were trying to defend again…. A few days after this was mentioned, Lynne Pope mentioned that with variations of the worm […]

  15. #15 Twitter Trackbacks for hackademix.net » Mikeyy's StalkDaily Twitter Worm vs NoScript [hackademix.net] on Topsy.com says:

    […] hackademix.net » Mikeyy’s StalkDaily Twitter Worm vs NoScript hackademix.net/2009/04/13/mikeyys-stalkdaily-twitter-worm-vs-noscript – view page – cached Giorgio Maone’s answers to the Web, the Universe, and Everything * Home * Why * Me, ma1 — From the page […]

Bad Behavior has blocked 7691 access attempts in the last 7 days.