OnMouseOver XSS plagues Twitter - Update
A new wave of Twitter attacks which make use of an XSS vulnerability in Twitter's web client is causing trouble for users of the micro-blogging service. The injected script code is able to read the user's Twitter cookie and authentication data. First assessments indicate that the vulnerability can be used to create a worm that spreads automatically.
The XSS vulnerability is also being exploited to inject blacked-out areas on pages, to hide the manipulated links. These appear in the user's view of their Twitter timeline and run a script when the user moves their mouse over the blacked out areas. The payload script posts code into the user's status, sends it on to their followers and may also redirect the user to a dubious site, as observed by Sophos in their blog.
Users of Twitter desktop and mobile clients are unaffected by the flaw, which relies on users being logged in to the Twitter service for the "tweets" to be rendered in a web page. Apparently, users of the recently unveiled "new Twitter" web front end are also unaffected.
Update - In a posting on the company's status blog, Twitter have announced that the vulnerability is now "fully patched".