Security hole on Twitter.com exploited, links forced on mouseover
Though Twitter recently launched a newly redesigned site, users of the popular microblog are advised to use only third-party Twitter clients Tuesday morning to avoid a newly-exploited security hole.
The hole comes from the onMouseOver JavaScript code, which lets websites launch in your browser simply by mousing over a link in your Twitter feed. So far, the flaw has been used to redirect users to third-party sites, to pop up unwanted messages, and to have messages retweet themselves.
The "worm" variety of this exploit launches a modal overlay that turns the entire browser screen into an onMouseOver field, which then retweets the malicious message when the user touches any part of the browser screen with his mouse pointer.
Though the current exploits are still mostly harmless in nature, this hole can easily be used to redirect Twitter users to sites containing malware.
Users are advised to stay away from Twitter.com and use third-party clients, or to disable JavaScript on Twitter.
UPDATE: At 9:50 AM EST, the Twitter status blog claimed that the cross-site scripting exploit was fully patched.