Update: Twitter says, “The exploit is fully patched.”
The exploit takes advantage of the Javascript function onMouseOver, enticing users with colourful blocks of text – “rainbow tweets” – and then retweeting those messages automatically when the block is moused over. In some cases, the links launch pop-up windows, in others users are being directed to spam and porn sites. Commenter RawheaD points out that one variant turns the whole browser window into a MouseOver area, so putting your mouse anywhere in the window will trigger a retweet.
Reader Mike sent a video of the exploit in action. As soon as he moves his cursor from the toolbar to the body of the Twitter.com page, it retweets the exploit and attempts to send a Direct Message.
Sarah Brown, wife of former British Prime Minister Gordon Brown, was hit with the exploit earlier this morning. Her page displayed a gigantic letter “h” and redirecting users to a Japanese porn site.
Third-party apps are safe from the bug and can be used to delete the inadvertent retweets if you’ve been hit. But for now, because the exploit is spread merely by hovering over tweets, visiting the Twitter website almost guarantees that you’ll inadvertently end up spamming your followers. [Sophos]
God I wish people would stop using Flash, so many security problems WITH IT. they should use inbuilt stuff like HTML5 and java scr... oh wait...