The replies to that tweet are beautiful. Sometimes you forget that not everyone in the world can recognize a cross-site scripting vulnerability when they see one!
Some services will ignore security entirely at first, because it doesn't directly contribute to getting a viable product to market quickly (obviously, users will use an insecure site or app so long as they don't know how insecure it is). Then when the app becomes viable, they will continue to ignore security because it doesn't directly contribute to growth. Security becomes part of the nebulous "optimization" stage which is pushed somewhere down the road - and at some point the application becomes so complex that security isn't deemed worth the effort or the money.
I'm not saying that's what happened here, and depending on the language and platform you're using, xss can be a difficult problem to solve. But it does seem to be a common trait to disregard security until you have to apologize for it.
I guess the New York Times uses Tweetdeck[1].
I saw this because several people I follow had retweeted it and the Twitter app notifies you if several of your followers do the same thing. It's a useful feature. If Tweetdeck does the same thing it could make this spread really fast.
I wonder if the poster of this "twitter worm" could get in legal trouble for this; it's quite similar to the Samy MySpace worm[1] of a decade ago, where the creator was charged with a felony (they plea bargained out).
For some reason this is hilarious to me. Not the pinnacle of responsible disclosure, but no real harm done.