I was browsing Twitter late into the night. At some point I hit a profile with a funny ASCII animation at the top. Maybe that was where it started, I don’t know.
This is what I saw in my Twitter account…
Dude! Mikeyy! Seriously? Haha. 
Dude, Mikeyy is the shit! 
Dude, Mikeyy is the shit!
What I do know is I woke up and was unpleasantly surprised. I checked my emails. A nice and informed person had notified me that my Twitter profile had been hit with the “mikeyy exploit” and I may want to check it out and change my password or something.
He left me this link to read up on the situation.
http://www.sophos.com/blogs/gc/
Then I went to search.twitter.com and looked up tweets people had sent me. Other people were either asking why I was saying things about Mikeyy, but some knew what was happening and sent more links like this one.
http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/
I don’t claim to understand what exactly happened, other than it seems some temporary Javascript can be applied to a page and funny business can be made to happen on that page by a page from another site. This is apparently called a cross-site scripting attack or XSS.
http://en.wikipedia.org/wiki/Cross-site_scripting
The issue can be addressed by Firefox users with the “NoScript” extension. I hate the idea of installing this. Seems like there should be a better way. Indeed maybe one of Explorer’s annoying popups has addressed it over in that camp. I need to look more into that.
Here is the Firefox solution.
I have installed it. It is annoying. I went into the preferences and cranked it down a little. There is also an “S” logo at the bottom of the browser that lets me change specific preferences for a site. I turned on a sound effect when it is called up so I can change the settings for a given site and not miss the intended and good functionality of that site.
In this particular situation, I do not believe the code is still in my Twitter profile. I think last night’s issue has been resolved.
Being someone who makes websites and loves Javascript, this is a troubling fix. The browsers should step it up here, as they may have already begun doing.
I have exposed some of my ignorance here. I hope if you know more you will leave a helpful comment below. Thank you!
Tags: crosssitescriptingattack, hack, twitter, xss
Twitter says they patched it – http://status.twitter.com/post/95332007/update-on-stalkdaily-com-worm
Hello David,
1. Javascript is bad. It is slow, it severely slows down the page loading time and, as you can see, is quite a security issue.
2. NoScript is a protective shield for you on new sites (it won’t bother you once you’ve allowed a site). This is called default-deny approach, and Internet would be way safer place if it was used from the very beginning.
Hi David,
NoScript is indeed annoying and difficult to use for most people. As a security professional that frequently visits malicious sites, it makes sense for me to use it, despite the overhead.
Once you “trust” certain sites using NoScript though, they continue to work as normal. It is difficult to know what should be trusted or not and would be nice to have a better solution. Unfortunately, the intertwining of the web combined with common security flaws makes it quite the challenge.
Thanks Gary. I appreciate your insight.
Update: this worm also changed my Twitter > Settings > Design > Links Color to “#STYLEMIKEY”. Just found that and changed it to a real color. Maybe this is how the script launched… hmm
Thanks to http://andrew.hedges.name/blog/2009/04/12/dude-mikeyy-cant-even-spell-his-own-name for the howto.
I just wanted to mention that the podcast Security Now discussed NoScript a lot back in the fall and there is a way to make it less annoying by turning off notifications. (Not sure if you meant turn down notifications or turning down blocking.) Then you only have to be bothered with it if you realize something is not working on a site you trust. Then you turn on scripting for that site. Their conclusion was that it really should be off by default because it is so annoying it discourages people from using it.
It is mentioned very close to the op of this episode:
http://www.grc.com/sn/sn-172.htm
There is more discussion of NoScript in:
http://www.grc.com/sn/sn-168.htm
http://www.grc.com/sn/sn-169.htm
NoScript is indeed annoying and difficult to use for most people. As a security professional that frequently visits malicious sites, it makes sense for me to use it, despite the overhead.