andrew.hedges.name / blog

Dude. Mikeyy can’t even spell his own name.

April 12, 2009, 5:51 am · 12 comments · Filed under: JavaScript, Twitter

Yeah, I got p0wnd by the Mikeyy Worm on Twitter. It’s a simple JavaScript injection attack. You get it by visiting an infected person’s profile with JavaScript turned on in your web browser. Here’s how to stop the madness.

The first thing you need to do is turn off JavaScript! This is different on every browser, but this page has instructions for a few common ones.

Now that you have JavaScript disabled, you can fix your profile so you don’t infect anyone else. Follow these steps:

  1. Go to your password page and request a password reset. If you’ve been hacked, your password has been changed and you won’t be able to reset it any other way.
  2. Go to your settings page and delete anything you didn’t enter yourself (e.g., weird text in your bio, more info URL, etc.).
  3. Go to your profile design page and reset the colors for your profile. I found my link color had been changed to infected text. Unfortunately, you’ll have to have JavaScript turned on to change your colors through Twitter.com, but as long as you don’t visit anyone’s infected profile while you’re fixing your own, you should be OK.

That should do it. If you have seen cases where the above isn’t sufficient to fix a hacked profile, please describe the solution in the comments. Thanks!


Short URL to this article:

12 comments


Changing passwords is NOT necessary, all that is needed is a sign out from the Twitter WebUI to destroy/invalidate the session cookie that the ‘Mikeyy’ worm is using.

Until the vulnerability in the profiles is fixed or corrected, either leave your javascript off, stay off the web client, or don’t visit any more profiles. because it’s just as easy to get hit by it all over again.

It was a 17 year old kid. Smh. I was actually worried a lil bit. They have fixed the problem.

More on the hack at my blog

More info about how this all started.

Also, supposedly, Twitter have closed the security hole that enabled this in the first place.

TURN OFF JAVA SCRIPT THEN GO TO UR SETTINGS IN TWITTER AND REMOVE EVERYTHING FROM YOUR SETTINGS, ESPECIALLY UR NAME, BIO ETC AS IT HAS EMBEDDED ITSELF THERE AND WILL BE GONE WHEN YOU REMOVED EVERYTHING. IT WORKED PERFECT FOR ME! HOPE I MAKE SENSE…

I FORGOT TO ADD…ALSO MAKE SURE U GO INTO SETTINGS ON TWITTER THEN INTO DESIGN AND IN UR CHANGE DESIGN COLOURS REMOVE MIKEY THERE TOO!

Mashable also recommends clearing your browser cache and deleting all Twitter-related cookies. It probably isn’t necessary to change your Twitter password, but it can’t hurt.

I emailed with Giorgio Maone, developer of the Firefox plug-in NoScript. He says—on the default settings—the plug-in would have prevented the exploit from succeeding.

He also pointed me to this excellent analysis of the worm by Damon Cortesi. One of the reasons the exploit works is that Twitter isn’t properly stripping <script> tags and/or encoding entities in form fields. Surely, with US$55 million in funding, Twitter can do better.

Twitter: boring mundane blogs brought to an entire new, yawn level. Totally useless.

Thanks a lot for this post. I have been a victim of this too.

Follow me at http://www.twitter.com/twitadu Also visit me at http://www.explainstuff.com See ya there!

Comments close automatically after 15 days.
Still have something to say? Drop me a line!