HOWTO: Remove Mikeyy From Your Twitter Profile (UPDATED)
Mikeyy is a similar Twitter exploit to yesterday’s StalkDaily. It can be removed pretty easily if you are infected.
(To see if you are infected, check your profile timeline for Mikeyy-approving tweets you didn’t submit yourself. They should be pretty easy to spot.)
How To Remove Mikeyy
- Turn off Javascript in your browser. (This will be in settings or options – Google for more detail.)
- Close down any exernal Twitter clients (i.e., TweetDeck or Tweetie).
- In your Twitter settings page, delete anything suspicious that you did not add yourself. Check everywhere carefully, but it’s usually in the URL or location fields.
- Check that your profile design hasn’t been compromised. Some folk are saying their colours have been reset. (You will need to turn Javascript back on to edit your profile design. This is fine at this stage.)
- Consider resetting your password on Twitter. There is no evidence that these hacks are malicious enough to break into your Twitter account, but why take the risk? You may also like to clear your cookies and cache (which can be found in your browser’s settings).
- Once done, log back out of your account and then back in. If Twitter has locked your account, or does so in the future, you will have to ask for a password reset.
If your Javascript is still disabled in your browser you can now re-enable it.
Mikeyy is not being hidden in shortened URLs, but you may wish to avoid clicking on these from sources you do not absolutely trust in case the URL takes you to an infected profile or other varient of the exploit. Likewise, avoiding visiting user profiles on Twitter or within TweetDeck until Twitter has said with absolute certainty that the threat has passed. Monitor Twitter’s status page for updates.
UPDATE: There have been some reports that infected profiles are visible by rolling your mouse over their username on Twitter.com. If infected, code is sometimes visible after their username in the URL bar. This can help you to avoid infected profiles.
These tips will likely work for any similar exploits on Twitter. You should also take all necessary precautions to protect yourself in the future.
(Lynne Pope has more detail and additional steps you can take at her blog.)
APRIL 12 UPDATE: Twitter has commented on the steps they took and are taking to handle these exploits on their official blog. As of 2130 GMT, and judging by instances on Twitter search, Mikeyy seems to have been defused. Panic and hyperbole remains – help out Twitter by forwarding concerned users to this blog. Thank you. 
APRIL 13 UPDATE: (1000 GMT) Mikeyy seems to have returned en masse (Twitter search), likely with a new strain. Twitter is once again addressing the situation. Meantime, you can take the steps above to remove Mikeyy if you are infected. Please share this post with all your friends on Twitter. Thank you.
APRIL 17 UPDATE: A new strain of Mikeyy returned to Twitter. The cure remains the same.
Like this post? Subscribe to my RSS feed and get loads more!
Loading ...
This is a bit misleading. The Mikeyy worm is very similar to the StalkDaily worm but has one major difference – the code is injected into the CSS of the profile and is not able to be cleaned out by Twitter users. The code is heavily obfuscated and seems to get reactivated if anyone logs in again after cleaning up the settings fields in the profile.
I’ve blogged about this here and given tips on how people can protect themselves: http://lynnepope.net/twitter-xss-attacks
‘Misleading’ is a bit of an odd choice of words.
The steps outlined worked for me and worked for others who tried them. Mikeyy hasn’t return to my profile or those who also took this course of action.
I don’t claim to be a security expert but in both instances (StalkDaily and Mikeyy) the measures I took worked for me, and also those who followed them.
Thanks for the link to your site. I’ll add it to my article above.
Yeah, sorry about that. I had a brain cell freeze up at almost 3.30am for me and sat for ages trying to think of a better way of phrasing.
Removing the script from the settings fields certainly worked for StalkDaily, but leaves code behind in the CSS for Mikeyy. Some folk have found this reactivated the injection into their bio, name and tweets after logging back in later.
The script has mutated several times so not everyone is getting hit with the exact same code.
Thanks for the link btw – that was unexpected and much appreciated
Who is Michael “Mikeyy” Mooney? a 17yr old from Winnfield, LA: http://sqworl.com/?i=a11951
Known kiddie who has been sent a Cease & Desist by Stickam for attacks, and tries to XSS his own classmates profile
Mikeyy has not been diffused; a bunch of my friend’s feeds were just “updated” with Mikeyy messages. I’ll pass this along to them.
Yes, a new strain has appeared this morning. I’ve updated this post and the cure should still work. Thanks for your comment.
so our computers are not infected? only our twitter accounts?
With the current strains of the worm(s), that would be correct – only your Twitter profile is affected. Although I would recommend taking further steps as outlined in this article to prevent similar (and more dangerous) exploits in the future.
I have been hacked. Ugh. After I disabling Javascript, I cannot get into Twitter at all. When I reenable Javascript, I can get back in. When I got to settings, I see where all the info has been replaced with Mikeyy, but I cannot change it. My cursor freezes up. Help??!!
What browser are you using? If it’s Firefox, install NoScript, which should solve the problem for you. http://noscript.net. If it’s IE, try Firefox.
No, try going to your Twitter settings first then disabling Javascript. It’s worked for lots of people so I’m not sure why it isn’t for you.
Twitter has been cleaning up after the XSS attacks and have disabled some accounts. It would be a good idea to open a ticket with Twitter and get them to fix your account.
That’s good advice Rebecca. Thanks Lynne.
my account was affected too.. it was automatically sending tweets everyday, i change my password and deleted its previous tweets, we'll see tomorrow if new tweet will be there