A new security flaw has been discovered on Twitter today. It is easy to reproduce, to exploit, to play with. It can cause a user’s account to take actions that the exploiter puts into a specially-crafted tweet, without the user realizing it. For example, causing the Twitter user to be redirected to a different website, any website of the exploiter’s choosing. [UPDATE #2]
The bug only appears to affect the twitter.com website, not third-party apps such as CoTweet, TweetDeck, etc. Therefore, until Twitter fixes this flaw, you might want to avoid the twitter.com website and only use third-party apps to access your Twitter stream.
UPDATE #1: The Twitter @safety account just retweeted the following tweet from the head of Twitter’s Trust and Safety team: “The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.” So hopefully, this bug should now be fixed.
UPDATE #2: Twitter has posted a blog entry about this incident.