Over the weekend, the micro-blogging site Twitter became the victim of two major exploits on the site's code. On Saturday, StalkDaily.com worm irritated Twitter users, who were enticed to click on a link, which resulted in infected user profiles. Nevertheless, the Twitter tech team fixed the hole on Saturday after it compromised about 90 accounts.

Following that, on Sunday, a worm named 'Mikeyy' savaged user profiles and sent updates from the infected users' accounts. A 17-year-old teen who called himself Michael 'Mikeyy' Mooney came out clean and boldly accepted responsibility for planting XSS (cross-site scripting) exploits. The cross-site scripting exploit will allow a person to inject malicious code in a webpage being viewed by someone else.

Mikeyy is a JavaScript-based exploit that spreads when a user visits a friend's user profile. The worm infects the user profile and sends out Twitter updates from the infected accounts like:

Twitter please fix this, regards Mikeyy
How TO remove new Mikeyy worm! RT!! http://bit.ly/yCL1s

In an interview with CNET, Mooney said, "I thought about it later, and basically did it because I was bored." The Mikeyy worm typically spread the infection when the user name or image of the infected account holder is being clicked on; then the worm infects the followers of the infected account holder.

The Mikeyy worm infected about 100 accounts and gave out 10,000 updates, which were deleted later by Twitter's security engineers. Also, on Monday, 13 April, Mikeyy topped the search queries at http://search.twitter.com.

The nature of the attack was merely to reveal the holes in Twitter's website.

Twitter said in a statement on Saturday, "No passwords, phone numbers, or other sensitive information were compromised as part of this attack." However, in case you're infected, then head to Twittercism, which will help you remove the infection.

In order to protect yourself, make sure you use a third-party Twitter client like Twhirl or TweetDeck. Firefox users can download the NoScript extension and install it for stopping any further JavaScript exploits.

Simultaneously, users are also advised to change their passwords at regular intervals, maybe on a monthly basis. Meanwhile, avoid visiting any of your friends' or new followers' profile on the web interface.

What a 17-year-old kid did out of boredom could trigger more social engineering attacks on Twitter's website. However, Twitter has been constantly optimizing and tweaking the web interface. It's surprising that several Twitter account holders still get the old web user interface while many lucky ones enjoy the snazzy newest version.

Twitter is widely used as a website/blog traffic generating as well as a promotion and marketing tool. But such Mikeyy attacks will inject doubts in users' minds on whether they should click on links or not. Our message is loud and clear: avoid checking user profiles and avoid clicking on links posted in updates.