Update at 10:07: Once again showing the power of NPR, Twitter has been patched.
We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again when it is.
Update (6:50 PDT, 13:50 UTC): The exploit is fully patched.
It might be wise to stay off Twitter.com this morning. A security hole is being exploited, mostly for fun and games, but also to send people to hardcore porn sites. And you don't need to click on the tweets, you just have to mouse over them.
From the Sophos security blog:
The Twitter website is being widely exploited by users who have stumbled across a flaw which allows messages to pop-up and third-party websites to open in your browser just by moving your mouse over a link. Messages are also spreading virally exploiting the vulnerability without the consent of users.
Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister.
It appears that in Sarah Brown's case her Twitter page has been messed with in an attempt to redirect visitors to a hardcore porn site based in Japan. That's obviously bad news for her followers - over one million of them.
Screenshot of Sarah Brown's Twitter page.
The exploit does not effect third party Twitter applications, so those are still safe to use.