[hugh]

Twitter was overrun with posts on Tuesday morning that used a programming flaw to play pranks, distribute porn and spread worms to unsuspecting users.

The problem appeared to be confined to Twitter’s old Web interface, and does not affect the new interface that Twitter is gradually rolling out or to mobile applications. Security experts said that a JavaScript command in the offending posts included a command, “onmouseover,” that caused messages to pop up and Web sites to open automatically when a mouse hovered over it. The script in some cases also caused a user to forward the offending link, spreading it virally to their followers and the rest of Twitter.

Story

 

[magnet]

Some corporations are suggesting using Tweetdeck in the meantime as a Twitter work-around.

 

[hugh]

Informative write up at Ars Technica

The flaw was classified as a cross-site scripting (XSS) bug. Due to an error in the way that Twitter processed messages, it was possible to include JavaScript in tweets, and that JavaScript could then do more or less anything, including sending more JavaScript-containing tweets. The technique was devised last night by Twitter user Magnus Holm. Holm says that he didn't find the XSS flaw itself, but he appears to have been the first to write a worm that exploited it.

 

[caper_26]

I use "No Script" add-on for FireFox which has XSS filters/prevention among Javascript disablers. I know, I have to manually allow (or temporarily allow) any site I visit, but I prefer to do so to keep all the extra BS from loading on pages I visit. Works well!