Yes, I was just nailed by the mouseover hack/worm that's making it's way around twitter right now. It started auto-posting itself under my account so it could spread.

I just closed the browser window and switched to tweetdeck - then deleted all those stupid worm posts. Probably not a good idea to access Twitter directly for a while!

Gizmodo has some coverage, now

The exploit takes advantage of the Javascript function onMouseOver, enticing users with colorful blocks of text—"rainbow tweets"—and then retweeting those messages automatically when the block is moused over. In some cases the links launch pop up windows, in others users are being directed to spam and #*$! sites.

Third party apps are safe from the bug, but because the exploit spreads by users merely hovering over links, visiting the Twitter website right now almost guarantees that you'll inadvertently retweet one of the messages.

[gizmodo.com...]

I think but not sure my wife got this bug last week. I am not sure what she had but from a detailed discussion with her I really could never nail down the place she got it.
She was on Yahoo Mail and we were IM talking when it hit her. You know the security warning popup up so she didn't click anything but cut the computer off as I had instructed her. She still got the bug and a bad one at that. The only sites that were open at the time of the attack were yahoo email, FB, and Yahoo IM.
I was able to do an install of malwarebits to get the trojans pulled. She had 5 trojans installed on the computer.
Took me 2 1/2 hours to get the computer cleaned up disabled AVG and Internet exployer. I had to uninstall AVG and do a clean install to get everthing back to working. Whatever it was was a really tough one to get off.

As far as I know, this particular worm is only active on twitter.com - and although it could redirect you to a malware site, I've seen no reports of that.

TechCrunch has just produced a five point program to deal with the mouseover worm:

1. Don’t use the Twitter web site, especially the older version.

2. Use a desktop application like Tweetdeck, Seesmic or similar. Although the affected tweets do appear in your stream, they will not produce the same mouseover effect.

3. Use the Twitter mobile site, which appears to be unaffected.

4. Delete the affected tweets by avoiding the main web site and logg-in to the mobile site instead. Then delete the forced Retweet. Delete any tweets so that the worm does not spread to your friends and followers.

5. Change your password just in case.

[eu.techcrunch.com...]

Only a matter of time.

News from Twitter about their problem:

We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit.

We expect the patch to be fully rolled out shortly and will update again.

[status.twitter.com...]

This is one of the big benefits of WebmasterWorld - getting news like this so quickly. I'm staying away from Twitter until the all clear.

According to Mashable, Twitter has now sounded the "all clear"

Update (10:00 a.m. ET): A spokesperson for Twitter tells us "This should now be fully patched and is no longer exploitable."

[mashable.com...]

Maybe, but they've definitely made me gun-shy about using Twitter.com through a browser. Third party apps have their own issues, too. Ah well, whatchgonnado?

Would Firefox with the NoScript plugin protect the user - or would Twitter simply not work with the plugin enabled.

Has anybody tried twitter.com via the web yet?

I have. It looks like there are no mouseover tweets around, and they're easy to spot because they are bare javascript instead of a message. It's just that hover activates them instead of a click -that's the real nuisance factor.

Thanks, tedster

Twitter confirmed the XSS Attack is fully patched.

Would Firefox with the NoScript plugin protect the user

NoScript has XSS protection.

For those that want to know more...
The Twitter hack: how it started and how it worked [guardian.co.uk]

A Japanese developer was the first to notice the weakness in Twitter's site and says he reported it as far back as mid-August. He put up a demonstration - and then the exploits flourished.The original discovery of the weakness, known as a "cross-site scripting" (XSS) hack, seems to have been made by a Japanese developer called Masato Kinugawa. He says that he reported an XSS vulnerability to Twitter on August 14 - and then discovered that the "new" Twitter, launched on Tuesday 14 September, had the same problem.

The real solution is to stop using Twitter forever.

So much for the superiority of OAuth

You can still visit the twitter site to read messages, just don't log in. You can't re-tweet when logged out.

My sympathies, Tedster, but you should really consider being more careful about allowing scripts to run on your browser, unless there's a true need for a particular site, and you trust it completely. It's like leaving your doors and windows wide open in the centre of town. Hard to complain about being robbed afterwards.

Islamic Republic of iran hacked it like past ...

Then within a few minutes he saw that it had started spreading virally. "holy #*$!. I think this is exponential: "3381 more results since you started searching," he said - adding, a few minutes later "This is scary."

Very reminiscent of the famous "Samy" worm that hit MySpace a few years back. This is what happens when someone with XSS skillz and a low threshold for risk assessment ponders, "I wonder what will happen if I throw this wrench into that big fast-moving machine that doesn't belong to me?"

I wonder if there will be any legal repercussions for the kiddies who did it.

"Melbourne teenager becomes the terror of Twitter" [theage.com.au...]

He said it was Twitter's responsibility, not his, to keep the site secure.

A juvenile understanding of ethics & law. Now that I have read a little about the people who exploited the vulnerability, I hope there are charges laid and convictions made.