It seems to be a bad week for Twitter as once again they have been targeted by an XSS attack which is spreading quickly across Twitter. It’s still not certain as to who wrote it, though “Mikeyy” is being referenced in a number of the messages that are popping up across users pages. Earlier in the week it was determined that a 17-year old named Mikeyy Mooney was responsible for the original XSS attack, and one reason he wrote the exploit was a means to advertise his website. The new attack chooses from one of the following messages and posts it to an infected users page.
Twitter, this sucks! Fix your coding.
Twitter Security Team Really? You need to be fired.
@oprah - sup? welcome to twitter. - mikeyy
@aplusk - hey, homo. - mikeyy
@souljaboytellem - your music sucks dude. - mikeyy
@TheEllenShow - hey baby, love me long time? - mikeyy
@StephenColbert - you funny. - mikeyy
@cnnbrk - he's back. ;) - mikeyy
@nytimes - yep, it's true. - mikeyy
Twitter, do you know about the before_save model callback? - mikeyy
This exploit only affects Internet Explorer users. Thanks. - mikeyy
Twitter, BeforeSave: ForEach: DataArray: EscapeHtmlChars!!! - mikeyy
Get Firefox, thanks. www.Firefox.com
Twitter, you should be paying me now. - mikeyy
The code itself is stored in a file called xss.js on the same server as the previous attacks, not exactly trying to be very subtle. It’s slightly obfuscated though simple enough for us in the Labs to reverse.
At first glance the deobfuscated code appears as though it’s trying to create some ActiveXObjects which tells us Internet Explorer users will be affected, as one of the random comments seems to suggest. Any vulnerable users who view an infected user profile will also become infected themselves as the script is injected through the CSS, which is how it has managed to spread itself so quickly.