Teen takes responsibility for Twitter worms

Updated at 7:40 p.m. PDT with more information from the worm's creator.

As a second Twitter exploit began circulating on the micro-blogging site Sunday, a teen-ager from Brooklyn told CNET News he created both worms because he was bored and wanted to draw attention to the Twitter flaw.

Much like Saturday's StalkDaily worm, the "Mikeyy" worm posts unwanted messages to users' pages. The "Mikeyy" worm began spreading on the micro-blogging site early Sunday, posting messages such as "Mikeyy I am done...," "MikeyyMikeyy is done.," and "Twitter please fix this, regards Mikeyy."

Brooklyn resident Michael "Mikeyy" Mooney, 17, told CNET News in an interview that he created the worm "out of boredom."

"I thought about it later and basically did it because I was bored," he said. "And I didn't think Twitter would fix (the flaw) very soon. But I didn't think it would spread as far or as fast as it did."

Mooney, a high school senior who said one day he hopes to get a job as a security analyst, said he has been creating worms for about three years. He added that the worms he creates aren't designed to do much damage but that this will likely be his last worm.

"I'm done with Twitter," he said, adding that he was feeling a bit overwhelmed. "I've been getting too much attention lately."

Mooney said his site has has been live to the public for about two weeks and has 905 members, but that it "is growing quickly because of the worm."

The messages circulating Saturday promoted StalkDaily.com, a short-messaging site similar to Twitter. While initially denying any responsibility for the worm, StalkDaily.com posted a message saying, "I have came clean and have accepted the responsibility for the worm..."

Twitter said it has closed the hole that allowed the worm to spread.

"We've taken steps to remove the offending updates, and to close the holes that allowed this 'worm' to spread," Twitter said in a statement Saturday. "No passwords, phone numbers, or other sensitive information were compromised as part of this attack."

However, Mooney said he released the second worm exploiting the original flaw Sunday morning, after Twitter claimed to have closed the holes. He also said that he had not yet been contacted by Twitter representatives.

[monkeyfun14]

Wow what a damn idiot.

Who confesses to this kind of thing and how do you expect to trust that site now?

[ZetaZeta_]

From what I can tell, I see a nonmalicious hacker trying to help Twitter close a hole, and I see the kid is capable when it comes to website security. I'd check out his site.

[Random_Walk]

Hey - at least he had the stones to own up to it, and tried to not cause damage (or had criminal intent).

If I were Twitter I'd pay the guy a recurring consultancy fee and turn him loose on a test environment.

[n3td3v]

Incredible and stupid.

[colamix]

Six figure salary software 'engineers' and along comes a kid poking holes right through it. He will likely get sued because corporations would rather have gaping holes in their software than have their incompetence exposed.

[Rod Roddy]

Amen to that brother, although if it were the Government they would hire him.

[PhaseDMA]

The reality is you can't close these holes. I know a person that has been able to get into the admin side of phpbb forums in the same way for years.

And there has got to be like 20 versions since then that have fixed security issues. But unless it is brought to your attention it won't be found and fixed. When it is brought to their attention though it typically gets fixed in less then a day.

You can't blame anyone. First off someone looking for holes is going to find them eventually. Second off looking at your own code doesn't work. It tends to all blur at some point. At least after it does what you want it too.

But how many times will a major developer patch something that has never been exploited? Lots...

Again. If someone spends enough time trying to break in their going to break in.

[colamix]

From the Twitter blog: "The worm introduced to Twitter was similar to the famous Samy worm which spread across the popular MySpace"

The obvious question should be why were they vulnerable to a 'famous' attach vector? So the kid gave them a weekend sweat and got them to secure their network, give him a break from the bloodsucking lawyers.

[pablouk1]

Good way to stop these fools is 10 years in jail, getting raped by some big fella will soon change their attitude.

[PWK64]

I agree with Colamix. You pablouk1 are a ridiculous moron. To even suggest that a white collar crime of this magnitude warrants a brutal assault is beyond comprehension. BTW They have computers down at the farm now?

[this1!]

gotta agree with PWK here, the worms didn't really do much in the way of breaking laws (that i can think of, if no personal information of users was compromised) and if anything, hey, better some bored 17 year old that wants to promote his site, then some mad man bent on causing a firesale. (sorry just watched live free die hard for like the 8th time...)

[ZetaZeta_]

"Good way to stop these fools is 10 years in jail, getting raped by some big fella will soon change their attitude."

Yep. Good way to stop bad devs like the ones who left this hole open is what you said.
Luckily we have kids like the 17 y/o in the article defending us from poor development.

[Random_Walk]

So pablouk01, let me get this straight: you're actually condoning and promoting pedophilic rape as a means of retribution?

You need help, man...

[SlimGem]

I wonder how bored he would be behind bars. Hey, say that ten times real fast.

[btipling]

Kid who created a myspace work got in big legal trouble after he blabbed his mouth about it.

[mediocrates--2008]

Although terrorists and hackers prefer to claim "credit," for their actions, conscientious reporters use the term "responsibility" instead. You might want to rethink your headline, Steven.

[rhsc]

Spin away, mediocrates, spin away.

[Gabey8]

"Although terrorists and hackers prefer to claim "credit," for their actions, conscientious reporters use the term "responsibility" instead."

I've always felt that in the case of terrorists, an even better verb would be "accepted blame". After all, when someone accepts *responsibility* for damage they've caused, it normally involves helping to undo the damage by paying for repairs, compensating victims, etc. Terrorists do none of those things.

Hackers who inflict some measure of damage, and do nothing to repair or compensate for the damage they've done, probably should be described in the media as accepting blame, too.

[daimajinbuu]

Hey Mikey, want to meet a real black-hat hacker? Cnet should never have mentioned your name...

[DrStrangelove23]

Oh Mickeyy Mooney, you haven't just exposed a gaping hole, but you have opened a HUGE can of worms. You have REALLY angered quite a few people who are older, smarter, and were finding vulnerabilities YEARS before the internet (since you're too young to remember, there was this thing called a BBS and we used devices called 300 Baud Modems attached to our telephones to access it). You may not feel the pain of prisonrape, but you have truly invited a world of hurt upon yourself. Logically I would like to think, that you're only kidding to get attention, but you've REALLY outdone yourself! I feel so sorry for you, kiddo!

[imrui]

Second worm isn't caused by mikeyy, but another skiddie who exploited the XSS vulnerability, when I decoded the source js file used, the handle "bambamyo" came out from a 110mb.com account (one of two sites where the js files were hosted).. as of now, it appears to be removed..

2 other files are hosted in http://content.ireel.com/ which appears to be hacked and the js files are removed too..

So, in my theory, that bambamyo guy (http://www.youtube.com/user/bambamyo, http://www.myspace.com/john_be_still) who owns the 110mb account, maybe the same skiddie who have access to ireel, and abused the XSS vulnerability..

[BeauGiles]

Or he just decided to host it somewhere else incase one site got pwned...

[Harrison912]

I'm typically on Twitter to socially market my safety and security site so I'm always interested an what's going on at there. These things are annoying but I'm glad Twitter took care of it. He's a smart kid, he just needs to channel it for good purposes.

[knowles2]

And that why he should not end up in jail. where he will probably meet people who will be more than willing to use him and his skill for far more serious offenses and money making offence, which is a lot worst than pointing out a hole twitter.

[littleM]

Just think how many 'professional' crackers are disappointed to have this potentially lucrative exploit closed. Kids should leave these things to the ones who pillage in private.

[siyangqiu]

Why didn't he make the worm patch the holes instead. I remember there was a worm for linux and its name had to do with cheese,i think, and i patched up a hole.

[Dalkorian]

Most likely you're thinking of a winblows worm, many of them "patch" the flaws they exploit (conficker for example). The reason isn't so pure as you'd think - they don't want a competing worm taking over the machine, so they "patch" the flaw that let them in.

[grecs]

Let's open the responsible disclosure can of worms debate. :)

[Steve_KTG]

I wonder if he had time to learn how to drive; he seems fairly busy for such a bored guy. This is as good reminder as any to be aware of the risks among the numerous (and more obvious) positives to social networking; frequent contact comes with a cost in the form of risk. http://www.justaskgemalto.com/en/search/node/facebook is a good example of those risks.

[jafarm66]

Good Job exposing the hole in Twitter.. I don't think you deserve jail or anything since you didn't cause any harm or steal any information.

Too bad "The theives" aka "We're here to help" aka "We know whats best for you" Federal Gov''t will probably make an example of you.