StalkDaily worm exploits cross-site scripting flaw.

Popular micro-blogging site Twitter has been hit by yet more security incidents over the Easter weekend, although the intent seems to have been mischief rather than password harvesting this time.

The site suffered from three attacks targeting a cross-site scripting flaw. The worm, dubbed “StalkDaily”, seems to have been created as a publicity stunt by Michael "Mikeyy" Mooney, the owner of a Twitter-style site of the same name.

“At about 2AM on Saturday, four accounts were created that began spreading a worm on Twitter,” wrote Twitter co-founder Biz Stone on the Twitter blog yesterday.

“From 7:30AM until 11AM PST, our security team worked on eliminating the vectors that could identify this worm. At that time, about 90 accounts were compromised. We identified and secured these accounts.”

The worm spread by encouraging users to click on a link to visit the StalkDaily.com site. When they did, their own profiles became infected and sent out similar spam-type messages to their contacts.

A second wave of the worm hit the same afternoon, compromising 100 more accounts, wrote Stone. Then yet another bout of attacks hit on Sunday.

“Our team quickly pulled together and started fighting the attackers in real time,” wrote Stone.

“Again, we secured the accounts that had been compromised and removed any content that might help spread the worm. All told, we identified and deleted almost 10,000 tweets that could have continued to spread the worm.”

Stone said Twitter is conducting a full review of what happened and that it is constantly re-evaluating its web coding practices "to learn how we can do better to prevent them in the future”.

Mikko Hyponnen, chief research officer at anti-malware firm F-Secure, warned users not to follow suspicious links.

“This is not over,” he wrote on the firm’s blog. “There’s going to be quite a few modified Twitter worms for a day or two. Be careful in Twitter.”