Dude. Mikeyy can’t even spell his own name.

April 12, 2009, 5:51 am · Filed under: JavaScript, Twitter

Yeah, I got p0wnd by the Mikeyy Worm on Twitter. It’s a simple JavaScript injection attack. You get it by visiting an infected person’s profile with JavaScript turned on in your web browser. Here’s how to stop the madness.

Jump to article

andrew.hedges.name

Can your web browser do this?

You’ll never get rich digging a ditch, nor building Dashboard widgets.

A Kryptonite™ lock can be defeated in 11 seconds, but you still lock your bike, right?

Gaining Twitter followers is a little like losing weight. You have to try.

Over or under? It’s the age-old question when it comes to the orientation of toilet paper rolls.

Meta Me

I am a web developer, living and working in New Zealand. I’m into my family, photography and frisbee sports.

 LinkedIn   Twitter   Facebook 
 Ma.gnolia   Stack Overflow   Zooomr

The bitter man rots from within.
Bill Callahan

Topics

Apple · AppleScript · Business · Coda · Dashboard · Design · Google · JavaScript · jQuery · Life · Marketing · Music · New Mexico · New Zealand · Photography · PHP · Politics · Ruby on Rails · Scree · Subversion (SVN) · Twitter · Usability · Web Development · Widgets

Archives

Most Popular

Personal Branding for Introverts · Add an interactive legend to a MarkerManager managed Google Map · Dude. Mikeyy can’t even spell his own name. · Stupid WebKit Tricks · Animating your iPhone web application · Why Apple can afford to charge so little for Snow Leopard · Dashboard Widgets for Fun and Profit · Some Twitter conventions · How-to recover from checksum mismatch errors in SVN · The first 48 hours of PHP Function Reference, by the numbers

Most Recent

Add an interactive legend to a MarkerManager managed Google Map · Personal Branding for Introverts · Moments of Rangitoto · Some Twitter conventions · Why Apple can afford to charge so little for Snow Leopard · Stupid WebKit Tricks · Animating your iPhone web application · Dude. Mikeyy can’t even spell his own name. · Dashboard Widgets for Fun and Profit · Sending Growl notifications from Dashboard widgets

Twitshirt

Twitshirt is a tweet on a shirt. Buy the one below or check out my most recent tweets.

I just mis-typed "meta" as "meat". 3 times. I can see the headline now: "Vegetarian Caught in Freudian Slip" Film at 11.

See a random Twitshirt-worthy tweet.

Recent Reads

QuirksBlog: CSS width unreliable on Android? · Cocoa and Objective-C: Up and Running: Rough Cuts Version - O’Reilly Media · GeoNet – Tsunami Gauges · One-Line JavaScript Memoization · Create ZIP archives on a Mac without .DS_Store or .svn · Export MySQL to Excel · PR 2.0: How Brands are Harnessing Participatory Media in Public Relations · Encouraged Commentary · Google Weather API informal documentation · html5.org - HTML revisited

See more @ Ma.gnolia

Friends

80/20 · 90 Seven Design · Alyson Hurt · Andrew Nimick · Apps & Hats · Ben Young · Brian Warren · Carl Bolter · Chris Burgess · Daniel Lyons · Daniel Schwartz · David Hedges · Hamish Campbell · Jochen Daum · Joseph McLaughlin · Joshua Sallach · Julian Pistorius · Justine Sanderson · Kalena Jordan · Katie Graham · Kelly Green · Kevin Potis · Mark Bixby · Method Arts · Morgan Pyne · Peter Michaux · Piers Harding · Rebecca Murphey · Reid Givens · Rey Bango · Rhett Anderson · Rob Pongsajapan · Robin Taylor · Ryan Park · seven-gen · Simon Young · Su Yin Khoo · Vaughan Rowsell · Vincent Thomé · Voom Studio

Recommended Books on
Web Development

My bias is for references over “cookbooks.” I want to know all of my options, not just one way to do something. Show me the why as well as the how and I am happy.

JavaScript: The Good Parts · Object-Oriented JavaScript: Create scalable, reusable high-quality JavaScript applications and libraries · JavaScript: The Definitive Guide · Designing with Web Standards · CSS: The Definitive Guide · Prioritizing Web Usability · The Elements of User Experience · Web ReDesign: Workflow that Works · Don't Make Me Think: A Common Sense Approach to Web Usability

Contact Info

Contact info for Andrew Hedges

Subscribe

Atom · RSS 2.0

I’ve hosted this website with pair Networks since 1997. They rock.

This blog is powered by software I wrote. Want some of that? Hire me.

Feeling generous? Knock yourself out!

Support this blog. Click on an ad. Cheers!

The first thing you need to do is turn off JavaScript! This is different on every browser, but this page has instructions for a few common ones.

Now that you have JavaScript disabled, you can fix your profile so you don’t infect anyone else. Follow these steps:

  1. Go to your password page and request a password reset. If you’ve been hacked, your password has been changed and you won’t be able to reset it any other way.
  2. Go to your settings page and delete anything you didn’t enter yourself (e.g., weird text in your bio, more info URL, etc.).
  3. Go to your profile design page and reset the colors for your profile. I found my link color had been changed to infected text. Unfortunately, you’ll have to have JavaScript turned on to change your colors through Twitter.com, but as long as you don’t visit anyone’s infected profile while you’re fixing your own, you should be OK.

That should do it. If you have seen cases where the above isn’t sufficient to fix a hacked profile, please describe the solution in the comments. Thanks!

Short URL to this article:
Tweet this article!

12 comments

Changing passwords is NOT necessary, all that is needed is a sign out from the Twitter WebUI to destroy/invalidate the session cookie that the ‘Mikeyy’ worm is using.

Posted by: Beau Giles · April 12, 2009, 10:40 pm

Until the vulnerability in the profiles is fixed or corrected, either leave your javascript off, stay off the web client, or don’t visit any more profiles. because it’s just as easy to get hit by it all over again.

Posted by: @Kenop · April 12, 2009, 10:53 pm

It was a 17 year old kid. Smh. I was actually worried a lil bit. They have fixed the problem.

Posted by: TyCody · April 12, 2009, 10:55 pm

More on the hack at my blog

Posted by: Lucas · April 12, 2009, 11:02 pm

More info about how this all started.

Posted by: Andrew Hedges · April 12, 2009, 11:07 pm

Also, supposedly, Twitter have closed the security hole that enabled this in the first place.

Posted by: Andrew Hedges · April 12, 2009, 11:09 pm

TURN OFF JAVA SCRIPT THEN GO TO UR SETTINGS IN TWITTER AND REMOVE EVERYTHING FROM YOUR SETTINGS, ESPECIALLY UR NAME, BIO ETC AS IT HAS EMBEDDED ITSELF THERE AND WILL BE GONE WHEN YOU REMOVED EVERYTHING. IT WORKED PERFECT FOR ME! HOPE I MAKE SENSE…

Posted by: fiona downunder · April 12, 2009, 11:11 pm

I FORGOT TO ADD…ALSO MAKE SURE U GO INTO SETTINGS ON TWITTER THEN INTO DESIGN AND IN UR CHANGE DESIGN COLOURS REMOVE MIKEY THERE TOO!

Posted by: Fionadownunder · April 13, 2009, 12:45 am

Mashable also recommends clearing your browser cache and deleting all Twitter-related cookies. It probably isn’t necessary to change your Twitter password, but it can’t hurt.

Posted by: Andrew Hedges · April 13, 2009, 8:41 am

I emailed with Giorgio Maone, developer of the Firefox plug-in NoScript. He says—on the default settings—the plug-in would have prevented the exploit from succeeding.

He also pointed me to this excellent analysis of the worm by Damon Cortesi. One of the reasons the exploit works is that Twitter isn’t properly stripping <script> tags and/or encoding entities in form fields. Surely, with US$55 million in funding, Twitter can do better.

Posted by: Andrew Hedges · April 13, 2009, 11:11 pm

Twitter: boring mundane blogs brought to an entire new, yawn level. Totally useless.

Posted by: Clarkson · May 13, 2009, 8:22 am

Thanks a lot for this post. I have been a victim of this too.

Follow me at http://www.twitter.com/twitadu Also visit me at http://www.explainstuff.com See ya there!

Posted by: explainstuff · May 27, 2009, 1:14 am

Comments close automatically after 90 days.
Still have something to say? Drop me a line!

Possibly related posts

Home · Blog · Folio · Resume · Widgets · Coding experiments · The Kids Page · Contact
Copyright © 1995-2009. All rights reserved.