Teen Twitter worm writer lands job in IT

The teenager who takes credit for the worms that hit Twitter earlier this week has been hired by a web application development company and on Friday released a fifth worm on the microblogging site, he said.

Twitter fought off four waves of worm attacks last weekend and into Monday in which Twitter users were infected just by clicking on the name or image of someone whose account was infected. The worms appeared to do no damage other than spread to infected users' followers and modify profile pages.

Michael Mooney, a 17-year-old living in New York, told silicon.com sister site CNET News that he wrote the worms because he was bored and wanted to bring Twitter's attention to the security holes.

Mooney also grabbed the attention of Travis Rowland, founder of ExqSoft in Oregon who has hired the teen.

Rowland told CNET News on Friday that he saw the worms on Twitter and was impressed with Mooney's skills so he contacted him about working for him doing security analysis. "I saw his website and he coded that all from hand and it was pretty impressive; it was a complete Twitter clone," Rowland said.

After landing the job, Mooney spread the latest worm, which exploits a fifth vulnerability at the site, he said. Asked why he doesn't contact Twitter directly instead of launching the attacks, the graduating high school senior said he had tried but had received no response.

"I just want to let [Twitterers] know that my intent is not to aggravate them," Mooney said in a phone interview with CNET News. "It's probably not the best way but it's the only way I can reach out to Twitter so they will fix the vulnerability."

The latest worm exploits a cross-site scripting vulnerability and posts messages from infected accounts that reference celebrities and references to Mooney getting hired by ExqSoft, according to a blog post by Graham Cluley, a senior technology consultant with security firm Sophos.

Cluley criticised ExqSoft's hiring of Mooney, saying the teen should not be rewarded for behaving irresponsibly. The teen not only wasted the time of thousands of Twitter users and company engineers, Cluley said, but put Twitterers at risk of having their identities stolen or malware installed on their machines by financially motivated hackers who could have used the cross-site scripting flaw that Mooney used.

ExqSoft's Rowland said: "In my opinion, I don't believe it was malicious. He could have been farming for personal information like email addresses and phone numbers. He potentially could have exposed that information to any numerous sources."

In a tweet last weekend, Rowland implored Twitter to not prosecute Mooney, arguing that he did them a favour by alerting them to a security hole.

Asked earlier in the week about the prosecution scenario for Mooney, Jennifer Granick, an attorney with the Electronic Frontier Foundation, said in an email: "If he's 17, he will not be federally prosecuted and the sentencing, should he be found or plead guilty, should be more about rehabilitation than punishment."

Rowland said he plans to help guide Mooney away from pranks and toward a promising career as a white hat hacker.

"He's got a lot of growing up to do but he's a really good guy and he has a lot of passion for what he does," Rowland said. "Hopefully, I can influence him in the right way."

Twitter executives did not respond to an email seeking comment.

Original article: Teen Twitter worm writer gets job, spreads new worm from CNET News.com