Twitter got hit with a little security incident this afternoon we’ll call the “StalkDaily Worm”. I have no clue if the StalkDaily site was actually associated with the worm at this point or if it was simply a misdirection. I believe it to be the latter.
At around 3:43pm PST this afternoon I noticed some odd updates from a couple of my friends regarding the StalkDaily site. I then saw this tweet from @JoeCascio:
First virus-like hack of Twitter is StalkDaily.com. Looks like a code injection in the Location field of your profile.
Coming from Joe, I knew something was up. Looking at one of the infected profiles I saw a link to the StalkDaily site, but then also some script tags. These typically aren’t allowed as part of a profile URL and looked suspicious:
1 2 3 4 5 6
This was a nasty little script.
This is also one of the reasons that I browse the web with NoScript. It’s a hassle, sure, but it prevented the script from an untrusted domain (uuuq.com) from running on Twitter.com.
It looks like Twitter has already taken care of the issue for the most part. Thanks to @al3x and crew for their near-instant response on what was likely a nice relaxing Saturday afternoon.
If you have the stalkdaily URL in your profile, you were likely attacked by this issue. Twitter has taken care of it at this point, so feel free to correct your URL and continue with your Saturday evening Twittering. There’s some more information on this post.
Be safe out there - the Internet is a dangerous place. :)
(2009-04-12): A brief update - another round of the worm hit Twitter on Sunday morning. It was effectively the same thing, but attacked a different field. The code, oddly enough, had also been run through an obfuscator. You can see the partially obfuscated code from the second worm here: second version of worm.