Robert Simmons, the proof of concept purposely displays the iframe as it is not intended to cause any harm by tricking unsuspecting Twitter users. Is that what you meant by "not working in Safari 4?".

"By the time we stumbled on his findings, the exploit no longer worked." - As far as I can tell the exploit still works. To clarify visiting http://m.twitter.com usually results in the mobile version of Twitter being displayed, however only until a user has selected the "Standard" view using the link at the bottom of each page. The exploit would then no longer work until the users cookies are cleared (as twitter seems to store the standard/mobile preference).

Add some server-side code to the Twitter submission page to check the page referrer, and have a confirmation screen if the referrer isn't twitter.com.

Uh how about twitter stop auto filling the status field when it's passed in a GET request ? That's a good fecking start!