The long and short of it this morning is don’t go to Twitter.com. The site is currently experiencing what might be a number of security issues, with the most obvious one being a security exploit pointed out by security firm Sophos, that can execute code when you mouseover a link in your Twitter feed. The security flaw is an XSS, or cross-scripting, exploit that allows malicious Javascript to be inserted into a tweet, which can then run code on your computer.
According to severalsources, the exploit has quickly changed over time this morning, and users do not even need to mouseover a link to be affected by the flaw.
Update: 10:40 AM – Twitter has posted a full explanation of today’s incident.
Update: 7AM – Twitter now says that the XSS attack has now been “identified and patched”.
We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again when it is.
Already, Favstar has seen more than 24,000 retweets of one particular implementation of the bug. A quick look at the trending topics this morning shows quite how quickly the exploit has spread, with “Exploit”, “Security Flaw”, “Mouseover”, “Onmouseover” and “XSS” taking up five of the top 10 topics. Both Mashable and TechCrunch report having seen the exploit used to open pop-up windows, redirect users to porn sites and simply do “funny, rick-rolling type stuff”, but the nature of the exploit appears to be changing quickly as the morning goes on.
Goerg Wicherski, a Kaspersky Lab Expert writing on the exploit warns that users should turn off Javascript for Twitter. “It is possible to load secondary Javascript from and external URL with no user interaction, which makes this definitely wormable and dangerous,” he writes.
Twitter user Judofyr noted earlier this morning that there appeared to be an “ugly XSS hole in Twitter right now” and now says that, as far as he knows, he “started the first worm” but can’t say for sure.
For now, if you really need to feed the Twitter addiction, it appears that third-party clients are standing up against the attack, so go with that. But the best bet with the website (although the new Twitter.com doesn’t appear affected) is to avoid it until further notice.