Update (Apr 19th 2009) - The initial Mooney Twitter worm has evolved into a series of 5 worms at the time of writing, each exploiting a different vulnerability in Twitter. The latest one specifically focuses on twitter accounts who have a high number of followers thus targeting celebrities such as Ashton Kutcher and Oprah Winfrey according to Graham Cluley from Sophos.
The hack seems to have paid of to Mikeyy Mooney who was hired to as security consultant following the incident.
Twitter is in the spotlights again. Mikeyy Mooney, the 17-year-old creator of StalkDaily.com, a Twitter alternative, admitted to hacking his giant competitor by implementing a worm that propagated itself through twitter making every affected user tweet about StalkDaily. Mikeyy certainly got the advertising and page views he was looking for.
Mikeyy's worm is a good example of how CSRF and XSS can be combined to create a strong blended attack, in this case a propagating worm. A Web 2.0 community generated site such as twitter is often vulnerable to stored XSS . This often implies that a user can update his own profile with malicious code and as a result others who view his content get hit. Without any other vulnerability to complicate things, you are safe as long as your friends are trustworthy.
However, if the site is also vulnerable to CSRF, the XSS exploit can include in addition to the payload also the original XSS inflicting code run under the attacked users credential, modifying his content and therefore hiting his own friends, which hit their own friends and so on.
You can find the technical details of the attack on Damon Cortesi's blog. You may also be interested in the full XSS payload.