Twitter worm mishap was a schoolboy security error

If security is a buzzword for 2009, and Twitter is the media darling of the social networking newsframe, things did not go quite to plan over the Easter weekend.

Twitter found itself in an embarrassing position. Whilst businesses bend over backwards to find a way to utilise the microblogging tool, Twitter was hit by a series of virus attacks last weekend that caused havoc on user’s pages.

The virus, known as the Mikeyy worm, spreads when users click on an infected page on the Twitter site. This allows the virus to begin posting tweets to other users promoting site StalkDaily.com.

Twitter said no information had been compromised by the virus, and is considering court action against the 17-year-old virus creator, Michael Mooney. Mooney said that he created the worm for various reasons; out of boredom, to promote his own site, and to expose Twitter’s weaknesses.

Co-founder of Twitter, Biz Stone was quick to assert that everything was under control:

“Every time we battle an attack, we evaluate our web coding practices to learn how we can do better to prevent them in the future,” he said.

“We will conduct a full review of the weekend activities.”

The damage, however, has been done; Mooney seems to have achieved his aim in exposing Twitter’s weaknesses. Mikko Hypponen, chief research officer at F-Secure, told the BBC that it would have been remarkably easy, using the worm, to infect users’ computers as well as their Twitter accounts. He also said it would have been simple to use the virus to record the keyboard strokes of infected users, meaning that all sorts of information such as bank details could have been retained.

This highlights all sorts of technical problems with Twitter, which until now has managed to escape criticism behind a smoke screen of innovation and online chic. Barkmak Meftah, senior vice president of products and technology at Fortify Software, said that Twitter must include the code audit and security processes in its software development cycle. In fact, he went on to say that the XXS worm that hit Twitter was hardly a new kind of virus, and implied that Twitter, for all its ingenuity, should have been prepared:

"Media reports have made much about the author of what appears to be the first generation of Twitter worms,” Meftah said, “but they appear to have missed the point that these are actually basic cross-site scripting (XSS) security problems."

Twitter’s security problems do not end with its system. The efforts of the administrative staff seem to be a little amateur at times as well. Back in January this year, a teenaged hacker managed to breach Twitter’s security and hijack several high-profile accounts by guessing a member of Twitter support staff’s rather simplistic password.

All of this points to one basic flaw with web 2.0, as highlighted in Meftah in his interview with AjaxWorld. In the rush to create the next hot networking tool, developers have forgotten the basics of security, as Meftah says, in a way reminiscent of the early days of the internet.

Inatech’s latest security offering is designed to counter these kinds of risks. The Inatech iBDA Secure Database Security Assessment Service is available to businesses that rely on the security of information held within their databases, or have concerns about the security of those databases.