There is a XSS (cross-site scripting) vulnerability on Twitter's Tweetdeck which could lead the way for a rapidly spreading worm.
Michael Sutton, VP of security research, Zscaler said that the vulnerability, which was discovered last night could create something like the Mikeyy worm kicked off the trend back in 2009. All the twitter worms out there have relied on cross-site scripting (XSS) vulnerabilities, which Twitter has been fairly diligent about weeding out.
“This time the XSS bug wasn't on the twitter.com site, but limited to the web based version of TweetDeck, a popular front end that was acquired by Twitter back in 2011,” he said. While developers have become more aware of XSS and programming environments and browsers have introduced automated protection mechanisms, XSS remains the most common vulnerability seen in web apps, he added. “It remains a common flaw even on popular Internet properties as it can be challenging to properly validate all user supplied input, especially when trying to be flexible and allow users to post rich media content. In this case Twitter user @firoxl accidentally uncovered the flaw when looking for a way to post an emoticon and other quickly piled on, using the flaw to force automated retweets."
Tom Cross, director of security research, Lancope pointed out that XSS vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time. “Any organisation that runs a website should be testing their code for these vulnerabilities before they go into production. In this case, the consequence of the attack is mostly the ability to create annoying pop-ups that spread virally between users, but in other contexts XSS vulnerabilities can have more serious implications, which is why its important to check for them," he said.