homepage Welcome to WebmasterWorld Guest from 54.237.95.6
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Subscribe and Support WebmasterWorld
Visit PubCon.com
Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

    
Worm Infected Twitter User Accounts
engine




msg:3891971
 11:52 am on Apr 14, 2009 (gmt 0)

Worm Infected Twitter User Accounts [news.bbc.co.uk]
Twitter has been given the all clear after a worm infected "tens of thousands of users". But experts say the attack could have been much worse.

Over the weekend, a self-replicating computer program, or worm, began to infect profiles on the social network.

The worm was set up to promote a Twitter rival site, showing unwanted messages on infected user accounts.


 

gibbergibber




msg:3892196
 4:42 pm on Apr 14, 2009 (gmt 0)

Apparently part of the reason this spread so far was because it depended on people clicking on shortened URLs. They're standard on Twitter to keep addresses within the character limit, but they also mean it's impossible to guess whether the URL looks suspicious.

pageoneresults




msg:3892248
 5:36 pm on Apr 14, 2009 (gmt 0)

Apparently part of the reason this spread so far was because it depended on people clicking on shortened URLs. They're standard on Twitter to keep addresses within the character limit, but they also mean it's impossible to guess whether the URL looks suspicious.

More information from Twitter here...

Twitter Blog: Wily Weekend Worms
[blog.twitter.com...]

There were not many accounts affected but the infection caused some performance issues within the machine. There have been a total of 4 attacks since it started and each time Twitter has been quick to respond.

According to Twitter, no passwords were compromised but they do suggest you change them just in case. It is not like Twitter is the most secure platform out there. You pass your login credentials across http if you don't pay close attention to where you are logging in from. I'm not sure if this is an oversight or that is just the way it works. That whole give up username/password is rampant in Social Media. People give it up freely over an http connection and to websites that have no information about privacy, security, etc. Scary.

Did you mention URI Shorteners? Those are the nemesis of Domain Brand Existence. RIP as soon as possible.

gibbergibber




msg:3892863
 1:42 pm on Apr 15, 2009 (gmt 0)

Yeah, shorteners such as tinyurl etc.

The worst part is that Twitter automatically converts addresses to a shortened version even when the full address fits within the character limit. Why? What's the point of that?

pageoneresults




msg:3892876
 2:14 pm on Apr 15, 2009 (gmt 0)

The worst part is that Twitter automatically converts addresses to a shortened version even when the full address fits within the character limit. Why? What's the point of that?

That would be a misnomer. Those who have watched me on Twitter will tell you that the 30 character limit for URIs is not correct. In fact, I've been able to get a 76 character URI to non convert. I'd say that 99% of my Tweets now contain unconverted URIs if the destination URI is less than 70 characters and doesn't contain any funky separators like underscores. URIs with underscores have a 98% conversion rate, the damn things just won't work. ;)

I put out a public proposal at the beginning of March for Twitter to do their own shortening. They use TinyURL which is 7 characters and Twitter is 7 characters. I never quite understood why Twitter would not have done their own as they would have surely kept some brand identity for themselves. I think Digg read that and ran with it. :)

URI Shortening Services are on their way out. They are bad for the Internet and all things marketing. I guess we have the creator of Title Slugs to thank for many of the URIs out there that can't be sent without conversion. Smart move!

engine




msg:3892940
 3:17 pm on Apr 15, 2009 (gmt 0)

Here's How to Keep Safe [pcworld.com]
The worm, appearing as "" or "StalkDaily", was created by the 17-year-old Mike Mooney "out of boredom" and is now generating thousands of spam messages containing the word "Mikeyy." This is the fourth attack by the worm in the last four days, which sends Twitter messages from infected accounts, without the owners' knowledge.

How to keep safe from Mikeyy

First of all, experts advise Twitter users not to click on any links from messages containing the words "Mikeyy" or "Stalkdaily." It is recommended you use third-party Twitter desktop clients like Twhirl or TweetDeck (both PC and Mac) and that you do not use the Web-based version of Twitter, especially for viewing user profiles (as this is where the attack seems to originate).

As an additional security measure, you can disable JavaScript in your browser. Firefox users can use the no-script add-on, which stops any unwanted scripts from running.


RonPK




msg:3893684
 1:02 pm on Apr 16, 2009 (gmt 0)

Every professional web builder knows not to display unescaped user input in an HTML page. But over at Twitter they allowed users to enter <script> into their bio AND sent it out unfiltered, unescaped. Jeez.

Then they figured out how to escape < and >, but in sheer panic escape them twice, ending up with messy stuff like &amp;gt; in the HTML source which would be rendered as &gt; to the user.

I'm still seeing that right now, so they either haven't noticed or fixed it yet.

I like Twitter, like it a lot actually. But this worm thing was so easy to prevent.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved