Welcome to WebmasterWorld Guest from 220.127.116.11
Third party apps are safe from the bug, but because the exploit spreads by users merely hovering over links, visiting the Twitter website right now almost guarantees that you'll inadvertently retweet one of the messages.
1. Don’t use the Twitter web site, especially the older version.
2. Use a desktop application like Tweetdeck, Seesmic or similar. Although the affected tweets do appear in your stream, they will not produce the same mouseover effect.
3. Use the Twitter mobile site, which appears to be unaffected.
4. Delete the affected tweets by avoiding the main web site and logg-in to the mobile site instead. Then delete the forced Retweet. Delete any tweets so that the worm does not spread to your friends and followers.
5. Change your password just in case.
We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.
We expect the patch to be fully rolled out shortly and will update again.
Update (10:00 a.m. ET): A spokesperson for Twitter tells us "This should now be fully patched and is no longer exploitable."
Maybe, but they've definitely made me gun-shy about using Twitter.com through a browser. Third party apps have their own issues, too. Ah well, whatchgonnado?
A Japanese developer was the first to notice the weakness in Twitter's site and says he reported it as far back as mid-August. He put up a demonstration - and then the exploits flourished.The original discovery of the weakness, known as a "cross-site scripting" (XSS) hack, seems to have been made by a Japanese developer called Masato Kinugawa. He says that he reported an XSS vulnerability to Twitter on August 14 - and then discovered that the "new" Twitter, launched on Tuesday 14 September, had the same problem.
Then within a few minutes he saw that it had started spreading virally. "holy #*$!. I think this is exponential: "3381 more results since you started searching," he said - adding, a few minutes later "This is scary."
He said it was Twitter's responsibility, not his, to keep the site secure.