Yesterday, thousands of Twitter users found themselves redirected to other websites, and that they were automatically sending tweets to to others due to a security hole on Twitter’s website.
The attack was caused by malicious users using cross-site scripting (XSS) and it was particularly worrying because it could be exploited simply by hovering over a link on a page. In some cases, merely visiting the Twitter user homepage was enough to set off a pattern of auto tweets.
We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.
Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an “onMouseOver” flaw — the exploit occurred when someone moused over a link.
Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.”