According to security firm F-Secure Corp., the trouble started earlier today, when several worms began quickly spreading by leveraging a cross-site scripting vulnerability in Twitter that used “onmouseover” techniques, meaning it was enough to move your computer mouse on top of a malicious Tweet to resend the nasty message to all of your followers.
The initial worms apparently began as a proof-of-concept, but a number of new Tweets in the Twitter trending topics page indicate that newer versions are silently redirecting victim PCs to fetch more malicious payloads.
The Twitter user who reportedly discovered the vulnerability — programmer Magnus Holm — remarked on his Twitter feed that in hindsight he probably should have reported the flaw to Twitter, “but when I discovered it, it had already been in the wild for some time, so I assumed they knew it. I’m not responsible for the tweets that blocks the whole screen and retweet. my worm was much less obtrusive.”
Update, 10:05 a.m. ET: I’m reminded now of why I generally don’t write about the Twitter/Facebook malware threats-of-the-day: Because they’re usually no longer a threat by the time you write a blog post about them! Twitter is now reporting that it has fixed the vulnerability.
Update, 1:31 p.m. ET: Twitter’s security chief Bob Lord now has a blog post describing what happened with this worm. Lord writes: “This exploit affected Twitter.com and did not impact our mobile web site or our mobile applications. The vast majority of exploits related to this incident fell under the prank or promotional categories. Users may still see strange retweets in their timelines caused by the exploit. However, we are not aware of any issues related to it that would cause harm to computers or their accounts. And, there is no need to change passwords because user account information was not compromised through this exploit.” More here.