Twitter worm caused by 17 year old, out of 'boredom'

Over the Easter weekend, Twitter fell victim to yet another attack against the micro-blogging service. This time the attacker was 17 year old Mikeyy Mooney, who claims full responsibility for the attack, saying "I am aware of the attack and yes I am behind this attack".

The attack was harmless in a sense that no passwords or users data was compromised or stolen, only leaving messages on peoples Twitter page such as "Dude, www.StalkDaily.com is awesome. What's the fuss?". The worm infected other Twitter users when someone visited another person's page, making the worm spread rapidly. The messages linked users to Mikeyy Mooneys own web site which offers similar features and style as Twitter does.

Mikeyy Mooney described how he carried out the attack, "I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website."

Twitter responded by saying it has since closed the hole that allowed the worm to spread and is working to removing the unwanted updates on peoples accounts.

Report a problem with article
Previous Story

Steve Jobs still involved with Apple, working on tablet

Next Story

Windows 7 Build 7106 leaked

53 Comments

Commenting is disabled on this article.

Why hasn't anyone thought of calling this a Tworm?

We've got Tweets on our Twitters. Now we've got Tworms on there too!

"tweat" Today i walked my worm and we visited all of my "e-friends" "endtweat"

"tweat" tommorow the postie is going to bring me a real life"end tweat"

Is funny how they are giving so much credit to a stupid script kiddie. Apparently he just took the code of a previous worm then later he added some stuff and voila.. he is a instant genius.

The first rule of a (real) hacker is the anonymity, in opposite a script kiddie enjoy to be popular and usually they give away their name, address and even they put photos of their national-id.

So yes, script kiddies are weird like all net rats.

Doli said,
Look at his TOS #9:
9.You must not transmit any worms or viruses or any code of a destructive nature.

1st off if you use Twitter as your only means of communication you have no life.
2nd - and please wake up ...TOS means "Terms of service" it has no legal or judicial function.

Indeed, TOS is not a contract, is just a warranty policy + a copyrighted advice + another useless information without legal support.

1st off... ok ... moving on from your twitter rant.
2nd - I am awake, I was just pointing out Mikeyy's TOS for his site.

Are you Mikeyy?

Atlonite said,
psh what else is there to do if it's winter and your snowed in you can only play with it so much befor it get boring LOL


Well, maybe one could pick up a book on the English language and brush up on things like capitalization and punctuation.

Everyone is saying ban him.
Yet he found a hole which could render all usernames/passwords open to anyone.
Why not hire him?

they should ban him but before doing so give him a thnx for finding this vulnerability and say they fixed it and they should tie him to a tree and promote twitter on his body and let him get laughed at.

Doli said,
Look at his TOS #9:
9.You must not transmit any worms or viruses or any code of a destructive nature.

He didn't plan or actually destroy anything.

I think its good to not "reinvent the wheel" but this guy just took Twitter's TOS and did a "Find and Replace all" to change the words "Twitter" to "StalkDaily" haha

thealexweb said,

He didn't plan or actually destroy anything.


Maybe you didn't see he used the word "or".
"worms"
or
"viruses"
or
"code of a destructive nature"

His code is a "worm", so meets the OR conditions, doesn't it?

Mr. Andrews said,
$10 to the first person to find a vulnerability in his website :P

LOL. Yeah, I'm sure he wouldn't be so keen on that.

Sam Symons Live said,
LOL. Yeah, I'm sure he wouldn't be so keen on that.

Found a few bugs.

Just registered with 'login' and 'register' as accounts. Broke things - he's working to fix them though. For a while at least, people couldn't login or register due to my account creations :)

smooth_criminal1990 said,
Why punish him? I mean he didn't exactly do any harm did he? And I find it quite funny how how named his website and that its similar to twitter!

There's no excuse. It quite simply breaks the law.

I'm not a Twitter user thank god, but if he found a flaw, its better to report it rather than use it to your advantage and hinder other people's use of the website. Being 'bored' isn't an excuse.

From my understanding of this article, nobody who uses twitter was "hindered".
You'll also find that just reporting security holes rarely motivates the developers to close them, which is why many security holes found also have the hole published publicly shortly after by the finders. What he did was motivate the hole to be closed before it was used for worse reasons by others who found it.

LynxMukka said,
There's no excuse. It quite simply breaks the law.

What law? I'm not challenging your asserting, I'm actually curious. Is a law actually being broken here?

LynxMukka said,
There's no excuse. It quite simply breaks the law.

Smart people shouldn't be put in jail for being smart, unless they cause real damage. He helped Twitter find an exploit in exchange for free publicity, there wasn't any harm done.

remember that movie sneakers ?? sometimes people pay people to break in.. a network.. a building.. it's kinda like a test of security. i've heard of several security consulting firms finding exploits.. making them apparent... them telling them after hoping to gain a new client. sometimes it's as sniffing out someones unsecured wifi AP knocking on their door and telling them.. i once dropped a txt file on my neighbors desktop in windows asking them to please secure their router. they prolly freaked and returned their router for being faulty or read the freekin manual. either way i never accidentally connected to their crappy network again. there are tons of ways to exploit twitter. punish him? nah... not unless they wanted to make an example out of him. much much worse can be done. and the bigger twitter gets, starts selling shares, etc much much much worse can be done.

just a thought.

happy bunny day

Printing a friendly message to their printer is much more effective... Of course... Printing a page of nothing but black did cross my mind...

EmuZombie said,
Printing a friendly message to their printer is much more effective... Of course... Printing a page of nothing but black did cross my mind... :)

*sigh* Don't you watch scary movies? "I'm right behind you!" over and over and over

""I am the person who coded the XSS which then acted as a worm when it auto updated a users profile and status, which then infected other users who viewed their profile. I did this out of boredom, to be honest. I usually like to find vulnerabilities within websites and try not to cause too much damage, but start a worm or something to give the developers an insight on the problem and while doing so, promoting myself or my website." To be honest, it could have been much worse.

WAR-DOG said,
what a curios last name... mooney... like money with an obsolete o

At least his last name is not "Mouse".

Anyway, the security of Facebook is seriously lacking if just any bored kid can write a worm for it.

what said,
What were his parents smoking when they gave him the name Mikeyy?

"Just one Y? Are you insane? One more will do it, it will serve him in good stead for years of correcting himself on the phone or people automatically correcting it thinking its a typo".

Lord Ba'al said,
At least his last name is not "Mouse".

Anyway, the security of Facebook is seriously lacking if just any bored kid can write a worm for it.


You mean Twitter.