Over the weekend, a computer worm attacked the Twitter messaging service in three distinct attacks, generating almost 10,000 spam tweets -- as online posts are called in Twitter's twee terminology -- and compromising at least 190 accounts.

In a post on the Twitter blog, company co-founder Biz Stone said that no sensitive information was compromised as a result of the attacks.

The worm uses a cross-site scripting (XSS) flaw in Twitter to send spam tweets from infected accounts. The infection appears to have started when the worm's creator opened four new Twitter accounts containing the infectious code. The worm spread when Twitter users viewed the user profiles of the infected accounts.

"This is particularly nasty because you could get infected simply by viewing somebody’s profile page on Twitter that was already infected," explained developer Damon Cortesi in a blog post Saturday. "If you visited an infected profile, the JavaScript in the profile would execute and by doing so tweet the misleading link, and update your profile with the same malicious JavaScript thereby infecting anybody that then visits your profile on twitter.com."

The worm can be blocked by disabling JavaScript in your Web browser or by using the NoScript plug-in for Firefox.

The first attack struck about 2 a.m. PST on Saturday, and the Twitter security team worked to secure the service from about 7:30 a.m. PST through about 11 a.m. PST. Some 90 accounts were compromised.

The second attack struck later that afternoon. It affected about 100 accounts.

The third attack began Sunday and affected an undisclosed number of accounts.

Twitter's Stone said the company is still reviewing what happened, cleaning up, and watching for further incursions. "Every time we battle an attack, we evaluate our Web coding practices to learn how we can do better to prevent them in the future," he said. "We will conduct a full review of the weekend activities. Everything from how it happened, how we reacted, and preventative measures will be covered."

1 of 2