Donors Choose - Grizzly's Giving Page

Tuesday, April 14, 2009

#mikeyy for dummies

By now most folks online have some idea that there was a "worm," "virus" or "phishing scheme" on Twitter over the last couple of days.  True, sort of. 

There have been a number of explanations I have seen online that go into heavy, technical detail about what happened, why,  how, and by whom, written by folks with a lot more expertise on this stuff than I have.  I'm not a programmer, haven't done any coding in years now.  I'm the web-design equivalent of a three year old with some chalk and a bunch of stickers.  But I think I have a pretty fair idea of what happened.  Not as much as the trained folk, and not as little as most folks.  I figured I'd run it down here because (1) I want to see if I can make sense of it, (2) it might make me look clever, and (3) I hadn't put anything in my blog for a long while, so what the hell.

So, what happened, at least roughly, and how could it happen?  Was it a "Twitter worm" or "Twitter virus?"  Not exactly.

Let's start at the simplest level.  There's a whole lot of Stuff on the web these days.  Back at the beginning, though, it was simply a way to convey information.  Words.  Text.  The folks who started it wanted to (a) have the text formatted better, and (b) do a few clever things with connecting one patch of text with another.  That's what HTML is for -- HyperText Markup Language.  Put in some text, put before it and after it, and the middle stuff is bold.  That didn't work, did it?  Fine, but that's the idea.

Web pages, at their hearts, are text.  If you see a picture, the page itself has a text instruction to display a picture file, and a text description of where the picture is.  See, even the instructions are text.

That's just a passive, static webpage.  Want the page to actually cause something to happen?  Write a script.  The script is mostly more text, and the HTML part of the page includes a simple text instruction to run the more complex script.  What runs the script, the web, right?  Nope.  Your browser runs the script.  Your browser reads the HTML, sees an instruction to run a script, and blythely assumes it should just go ahead and do that, since there are after all no Bad People on the Interweb that might want to run a script on your computer to do Bad Stuff.  There are several different types of script, and scripts can do a whole slew of different things, some good, some bad.  But the gist of what I just said is correct, more or less.

If I was a bad guy, I could put a text command in the HTML on my webpage to run a script.  Your browser sees the command, and runs the script.  Since the browser is on your computer, it runs the script on your computer, from inside your browser.  And that script can do anything on your computer that can be done by your browser, or by any other program you run.  Delete stuff, copy stuff, change stuff, whatever.  If I was doing that on my website, it'd be a Bad Idea to go there.

Okay, the Web is a lot more complicated than it used to be Back When I Was A Boy.  Now folks create forms on webpages where simple-minded users like myself can just type Stuff in, and that Stuff gets displayed on the webpage.  This should be no big deal.  After all, all I'm typing in is some Text, right?  Oh, waitaminute...

If there's a field where I can type in my name, and if the name I type in is going to be displayed in your webbrowser... what if instead of typing in my name, I typed in a command to run a script?  Your browser goes to my webpage, sees the SCRIPT command where my name should be, and blythely runs the script.  Ooops.  Bad thing.

So folks who design these forms where you can type in your name & such are supposed to check what you typed in, to make sure that it isn't a command to do anything unexpected, like for example, run a script.  That's just common sense.

Okay, we have a webpage designed in text, a form that allows any user to enter text into the website, and a text command that can run a script.  And here's where the fun begins for us Twitter users.

The folks who designed the User Profile pages for Twitter neglected to create their forms in such a way to make sure one couldn't type commands into those fields, and have them displayed as commands and executed by the browsers of those viewing those Profiles.  They assumed folks entering stuff into Twitter Profiles would be Nice and not do that.  Oops.  And every User Profile is built from an identical template, with a handful of changes Users can make to their own Profile.  So when there's a vulnerability, every User Profile is vulnerable.  Mostly.

What the cracker (possibly Mikeyy Mooney, as he claims) did, was to write a script, and create a couple of User Profiles.  He typed text into the data fields of those user profiles including a command to run that script.

Now in order for you to be able to Follow a user whose profile you're viewing, you have to be logged into Twitter.  When you log in, Twitter creates a token -- a string of numbers and letters -- that it can recognize later.  If I log in, and my browser goes to a page on Twitter, Twitter's website asks for that token, and the one my browser provides indicates This Is Grizzly's Browser.

So I go to one of those User Profiles Mikeyy set up with those commands in the fields, my browser sees the commands and runs the script.  Since the script is running inside my browser, it has access to that Token and can tell my browser to do whatever it's capable of doing.  One thing my browser can do is enter into my own User Profile -- I'm logged in, it's got the Token, it must be Me doing it -- and change my own user data there, to include a command to run that same script.  So the next person that views My User Profile has their browser see those commands, run the script, and change their User Profile, and so on.

Another thing my browser could do, since it's logged in as me, is enter Tweets.  And since the script is acting as Me, it can type in a Tweet or two saying "Go look at Stalk Daily Dot Com."

That's pretty much what happened there, to lots of people.  Not to me, though.

And another thing.  If (1) I'm logged in, and (2) that script runs, the script can copy and send that authentication Token to anywhere on the Internet, pretty much.  And (3) as long as I don't actually log out, even if I close my browser, shut off my computer and leave the country, more or less, that Token stays valid.  If I actually log out, the token becomes invalid.

So if Mikeyy had chosen to, he could have captured all those tokens, and had a program pretending to be a whole slew of browsers access my Twitter account or any other affected account and post anything he pleased, as often as he pleased.  He could change the passwords on any affected accounts.    That (he claims) he didn't do -- but the tokens were, according to some sources, sent back to somewhere.

Couple things you should notice here.  You probably first saw a bunch of messages from folks saying "whatever you do, don't click on links going to Stalk Daily Dot Com."  As far as I know, that script command wasn't on Stalk Daily Dot Com, though, it was on the User Profiles of the people who'd let their browsers read that SCRIPT command and run that script.  So going to Stalk Daily might have been a bad idea for a number of reasons, but not because it was going to get your User Profile changed, or get you infected by this particular malware.  (Never know what other Bad Stuff might have happened.)

You see tweets from people you follow, phrased in an uncharacteristic manner for them, talking about some website you've never heard of -- and sounding spammy -- you wanna see what's going on, you go to their profile, and then you get "infected."  Nothing has changed on your own computer.  Your User Profile is what was changed.  Now, could that script have copied some virus or other malware onto your computer, run some program, deleted some files?  Sure.  Happens all the time, which is why folks tell you not to go to websites you don't know, or click on links from sources you don't know to send you to websites you don't know.

But that wasn't what happened in this case.  The changes were made on your User Profile, not on your computer.  (As far as I know.  But I'm Just Some Guy.)

Why wasn't my User Profile affected?  Because the command on those Profiles on called a script that wasn't on, it was apparently on Mikeyy's own site.  I use Firefox as my browser, and have an add-on called NoScript.  If NoScript sees a command to run a script residing on a site I haven't specifically given permission to provide scripts, the script never gets run.  If you went to one of those User Profiles yourself, and your browser didn't run the script, none of the Bad Stuff happened to you.  This is why, shortly after all the chaos started, folks (including me) posted recommendations to be using NoScript.

If I had gone to a website that I trusted, and told NoScript to allow that site to run scripts, and for whatever reason a script there was written to do Bad Stuff to me, then the bad stuff would happen.  Because I gave permission for it to happen.

Scripts are not necessarily bad.  There are scripts run from my own blog and from my podcast page.  Most of the useful stuff done on the web is done with some sort of scripting or other.  I make an effort to ensure scripts run from my pages are not malicious.  But it's always wise to think carefully before allowing any script to run.  Even honest folk can get hacked.

And why was this "Mikeyy/Stalkdaily Worm" thing so bad?  Because you'd be going to, which you'd assume was a safe site, and be caught off-guard by an attack like this.  Also, because that script would affect anyone who went to a previously infected User Profile and allowed that script to run, and anyone affected could be spewing tweets with links to any site the cracker chose, those links from seemingly legitimate sources could send you to dangerous ground.  Some of those links could claim to point to sites explaining how to remove the whole "Mikeyy worm" thing.

Also, so many folks were panicking and running in circles, and clicking on whatever link was offered by whoever to get info on how to fix whatever was supposed to be wrong, which most didn't understand.  Given it's Twitter, essentially all of the provided links were tinyURLs & Bit.lys & whatnot, allowing no chance to see where the hell you were being sent before you clicked on the silly link.  Even would appear as, which could be anything.  (Just to make a point, I posted a couple of shortened links to the Rickroll YouTube video.  Don't know how many folks clicked on them, though.)

I won't preach about shoulda/woulda/coulda.  Lots of other folks are already doing that.  But I hope this has made some sense for you.  It's my best of understanding of what happened.

By the way, this wasn't a "Twitter worm."  The messaging tools in Twitter didn't transmit the malicious code, the User Profile websites and Settings websites did.  The messages were impacted by a form of Social Engineering, I suppose.  And the chaos and confusion kept circulating.

And is the whole thing "over?"  Or when will it be over?  Well, Twitter is supposed to be fixing their Settings pages to check the user-entered data to ensure it doesn't include things like SCRIPT commands.  (Which they should have done in the first place.)  If and when they successfully do that, then this particular nasty won't work anymore.  Which is not to say there won't be something else, later.

But if any passwords were stolen, and haven't been changed, then those accounts could be fiddled with again.  Some accounts may have been tampered with in other ways.  Some compromised accounts might have been used to post links to malicious websites.  And even if every aspect of this incident was cleaned up, someone else could come up with something else and betray us once again.

So in a real sense, even when it's over, it's not over, it's never over, and it never will be over.

And what do you think they should do to such folks?  How does that whole "tried as an adult" thing work again?  Lot of angry people out there.

Just sayin'.


No comments:

Post a Comment

Episode Zero -- A Minor Local Celebrity

With "Meditation Impromptu" by Kevin MacLeod Originally posted to Libsyn under my original setup around 02/2007.  When I ran out ...