Dude. Mikeyy can’t even spell his own name.

April 12, 2009, 5:51 am · 12 comments · Filed under: JavaScript, Twitter

Yeah, I got p0wnd by the Mikeyy Worm on Twitter. It’s a simple JavaScript injection attack. You get it by visiting an infected person’s profile with JavaScript turned on in your web browser. Here’s how to stop the madness.

Jump to article

andrew.hedges.name

Can your web browser do this?

You’ll never get rich digging a ditch, nor building Dashboard widgets.

A Kryptonite™ lock can be defeated in 11 seconds, but you still lock your bike, right?

Gaining Twitter followers is a little like losing weight. You have to try.

Over or under? It’s the age-old question when it comes to the orientation of toilet paper rolls.

Subscribe

Meta Me

I am a web developer, recently returned to the States after 3 years in New Zealand. I’m into my family, photography and frisbee sports.

Blip.fm Digg Facebook LinkedIn Stack Overflow Twitter Zooomr

Nothing will benefit human health and increase chances for survival of life on earth as much as the evolution to a vegetarian diet.
Albert Einstein

Topics

Apple · AppleScript · Business · Coda · CSS · Dashboard · Design · Google · InSTEDD · JavaScript · jQuery · Life · Marketing · Music · New Mexico · New Zealand · Open Source Software · Photography · PHP · Politics · Ruby on Rails · Scree · Subversion (SVN) · Twitter · Usability · Web Development · Widgets

Archives

Most Popular

CSS Fast Nav: Because (perception of) speed matters! · Personal Branding for Introverts · Stupid WebKit Tricks · Add an interactive legend to a MarkerManager managed Google Map · Dude. Mikeyy can’t even spell his own name. · Dashboard Widgets for Fun and Profit · Animating your iPhone web application · How-to recover from checksum mismatch errors in SVN · Why Apple can afford to charge so little for Snow Leopard · When is a global variable not a variable?

Most Recent

CSS Fast Nav: Because (perception of) speed matters! · When is a global variable not a variable? · Our misguided culture of cool · InSTEDD: Open Source Software that saves lives · Add an interactive legend to a MarkerManager managed Google Map · Personal Branding for Introverts · Moments of Rangitoto · Some Twitter conventions · Why Apple can afford to charge so little for Snow Leopard · Stupid WebKit Tricks

Twitshirt

Twitshirt is a tweet on a shirt. Buy the one below or check out my most recent tweets.

IE6 team still tops the list of "folks I'd like to kick in the nuts", but whoever invented .DS_Store is a close second.

See a random Twitshirt-worthy tweet.

Friends

80/20 · 90 Seven Design · Alyson Hurt · Andrew Nimick · Apps & Hats · Ben Young · Brian Arnold · Brian Warren · Carl Bolter · Chris Burgess · Christine Morris · Cristina Stoian · Daniel Lyons · Daniel Schwartz · David Hedges · Hamish Campbell · Jochen Daum · John Visser · Joseph McLaughlin · Joshua Sallach · Julian Pistorius · Justine Sanderson · Kalena Jordan · Katie Graham · Kelly Green · Kevin Potis · Mark Bixby · Matt Henry · Method Arts · Morgan Pyne · Peter Michaux · Philip Tellis · Piers Harding · Rebecca Murphey · Reid Givens · Rey Bango · Rhett Anderson · Richard Paul · Rob Pongsajapan · Robin Taylor · Ryan Park · Shaun Lee · Simon Young · Su Yin Khoo · Toni Barrett · Vaughan Rowsell · Vincent Thomé · Voom Studio

Recommended Books on
Web Development

My bias is for references over “cookbooks.” I want to know all of my options, not just one way to do something. Show me the why as well as the how and I am happy.

JavaScript: The Good Parts · Object-Oriented JavaScript: Create scalable, reusable high-quality JavaScript applications and libraries · JavaScript: The Definitive Guide · Designing with Web Standards · CSS: The Definitive Guide · Prioritizing Web Usability · The Elements of User Experience · Web ReDesign: Workflow that Works · Don't Make Me Think: A Common Sense Approach to Web Usability

Contact Info

Contact info for Andrew Hedges

I’ve hosted this website with pair Networks since 1997. They rock.

This blog is powered by…software I wrote.

Feeling generous? Knock yourself out!

The first thing you need to do is turn off JavaScript! This is different on every browser, but this page has instructions for a few common ones.

Now that you have JavaScript disabled, you can fix your profile so you don’t infect anyone else. Follow these steps:

  1. Go to your password page and request a password reset. If you’ve been hacked, your password has been changed and you won’t be able to reset it any other way.
  2. Go to your settings page and delete anything you didn’t enter yourself (e.g., weird text in your bio, more info URL, etc.).
  3. Go to your profile design page and reset the colors for your profile. I found my link color had been changed to infected text. Unfortunately, you’ll have to have JavaScript turned on to change your colors through Twitter.com, but as long as you don’t visit anyone’s infected profile while you’re fixing your own, you should be OK.

That should do it. If you have seen cases where the above isn’t sufficient to fix a hacked profile, please describe the solution in the comments. Thanks!

Short URL to this article:
Tweet this article!


12 comments

Changing passwords is NOT necessary, all that is needed is a sign out from the Twitter WebUI to destroy/invalidate the session cookie that the ‘Mikeyy’ worm is using.

Posted by: Beau Giles · April 12, 2009, 10:40 pm

Until the vulnerability in the profiles is fixed or corrected, either leave your javascript off, stay off the web client, or don’t visit any more profiles. because it’s just as easy to get hit by it all over again.

Posted by: @Kenop · April 12, 2009, 10:53 pm

It was a 17 year old kid. Smh. I was actually worried a lil bit. They have fixed the problem.

Posted by: TyCody · April 12, 2009, 10:55 pm

More on the hack at my blog

Posted by: Lucas · April 12, 2009, 11:02 pm

More info about how this all started.

Posted by: Andrew Hedges · April 12, 2009, 11:07 pm

Also, supposedly, Twitter have closed the security hole that enabled this in the first place.

Posted by: Andrew Hedges · April 12, 2009, 11:09 pm

TURN OFF JAVA SCRIPT THEN GO TO UR SETTINGS IN TWITTER AND REMOVE EVERYTHING FROM YOUR SETTINGS, ESPECIALLY UR NAME, BIO ETC AS IT HAS EMBEDDED ITSELF THERE AND WILL BE GONE WHEN YOU REMOVED EVERYTHING. IT WORKED PERFECT FOR ME! HOPE I MAKE SENSE…

Posted by: fiona downunder · April 12, 2009, 11:11 pm

I FORGOT TO ADD…ALSO MAKE SURE U GO INTO SETTINGS ON TWITTER THEN INTO DESIGN AND IN UR CHANGE DESIGN COLOURS REMOVE MIKEY THERE TOO!

Posted by: Fionadownunder · April 13, 2009, 12:45 am

Mashable also recommends clearing your browser cache and deleting all Twitter-related cookies. It probably isn’t necessary to change your Twitter password, but it can’t hurt.

Posted by: Andrew Hedges · April 13, 2009, 8:41 am

I emailed with Giorgio Maone, developer of the Firefox plug-in NoScript. He says—on the default settings—the plug-in would have prevented the exploit from succeeding.

He also pointed me to this excellent analysis of the worm by Damon Cortesi. One of the reasons the exploit works is that Twitter isn’t properly stripping <script> tags and/or encoding entities in form fields. Surely, with US$55 million in funding, Twitter can do better.

Posted by: Andrew Hedges · April 13, 2009, 11:11 pm

Twitter: boring mundane blogs brought to an entire new, yawn level. Totally useless.

Posted by: Clarkson · May 13, 2009, 8:22 am

Thanks a lot for this post. I have been a victim of this too.

Follow me at http://www.twitter.com/twitadu Also visit me at http://www.explainstuff.com See ya there!

Posted by: explainstuff · May 27, 2009, 1:14 am

Comments close automatically after 90 days.
Still have something to say? Drop me a line!

Possibly related posts

Home · Blog · Folio · Resume · Widgets · Coding experiments · The Kids Page · Contact
Copyright © 1995-2009. All rights reserved.