Over the weekend, Twitter became the victim of a cross site scripting attack based worm that spread spam tweets. According to Twitter, nearly 200 accounts were compromised and some 10,000 messages in total were pegged as being worm spam generated.
“Earlier today we were informed of a malicious site that was spreading links to StalkDaily.com on Twitter without user consent via a cross-site scripting vulnerability,” Twitter posted on its status update page late Sunday. “We’ve taken steps to remove the offending updates, and to close the holes that allowed this worm to spread.
No passwords, phone numbers, or other sensitive information were compromised as part of this attack.”
In total, there have been four different variant of the worm that hit Twitter over the weekend and now includes today (Monday). Early Monday Twitter claimed it was successfully fighting the fourth variant.
The way it looks to me is that the Cross Site Scripting flaw is/was specific to Twitter web users. That is if you logging into Twitter by way of Twitter.com you could have been at risk from the flaw. Users of the third party clients (like Twhirl, TweetDeck) will not have the same risk.
No question, this is a cause for concern in my opinion, however the speed with which Twitter is responding to this worm is commendable. It also shows why web based services can in fact be more secure than desktop ones. With a web based service Twitter only needs to update their main application and not the applications sitting on millions of deskop users. This new worm can be contained very quickly (unlike Conficker and it’s desktop variants) and it will cease to exist sooner rather than later.
Twitter is also going to go after whoever created the worm and ensure that they pay the legal price.
“The worm introduced to Twitter this weekend was similar to the famous Samy worm which spread across the popular MySpace social-networking site a while back,” Twitter founder Biz Stone blogged. “At that time, MySpace filed a lawsuit against the virus creator which resulted in a felony charge and sentencing. Twitter takes security very seriously and we will be following up on all fronts.”