[UPDATE: All fixed now ... ]
This vulnerability can be used for all sorts of nefarious activities - from loading NSFW websites, to changing statuses, to retweeting status updates containing the vulnerability. Most malware-ladened tweets are hidden behind text that looks redacted (black blocks) to hide the script).
The vulnerability only affects users accessing the service via the main Twitter.com websites. Mobile Twitter site (mobile.twitter.com) is unaffected, as are third-party clients such as TweetDeck.
Alternatively, you can:
- Stay off Twitter
- Use the Mobile site - http://mobile.twitter.com
- Log-out (which prevents retweeting, but doesn't prevent execution of code in the first place, so watch out)
Given what I'm seeing out there on Twitter right now, if this was a zombie movie, a lot of people have already been bitten - including quite a few who should know better ... ;) ... and remember, if you've been bitten and I haven't, I know what to do, I've seen "Night of the Livng Dead" at least a dozen times ;)
[UPDATE; Getting reports in that you don't actually have to mouse over affected links ... perhaps someone is leveraging an alternative command to "onmouseover"?]
[UPDATE 2: New improved exploit means that you trigger the exploit no matter where you mouseover on the page ... so just loading the page is enough.]
[UPDATE 3: Watching how fast this Twitter bug spread, it's a lucky think that it wasn't put to more nefarious uses ... if someone had set out with the idea of using this to launch a serious malware campaign, the fall out would be much worse.]
[UPDATE 5: Twitter now acknowledges flaw: "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit."
[UPDATE 6: And the vulnerability has been patched.]