Well I just came onto twitter to find my account had tweeted something extrememely vulgar – something I clearly would not have tweeted. It wasn’t long before I discovered a number of other users had tweeted the exact same tweet , all preceded by a “WTF” tweet with an attached link (do NOT click that link).
That WTF link opens two iframes. It doesn’t technically hack your Twitter account but does use your logged in browser session to tweet – this is reportedly called “cross-site request forgery”. For a detailed run through of how the script works, read this.
This isn’t the first twitter “hacking” to take place recently. Earlier this week, twitter was aflutter with news of a worm spreading through Twitter. The “onMouseOver” issue–which presented pop-up boxes and redirected users to porn sites–relatively quickly handled by Twitter.
What you need to know: Simple, don’t click on any links that look suspicious or include “WTF”.
Update: The exploit has reportedly been fixed in both old and new twitter but for now don’t click on any links that look suspicious or include “WTF”.
Update 2: Twitter just posted this message on their Status blog: “A malicious link is making the rounds that will post a tweet to your account when clicked on. Twitter has disabled the link, and is currently resolving the issue.”