Update: Twitter announced on its Status blog that it identified attack and the patch should be rolling out soon. From the post: “We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit. We expect the patch to be fully rolled out shortly and will update again when it is.”
The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.
For now, the best course of action is using only third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter’s web interface. Also, if your Twitter account contains a message abusing the flaw, you can delete it using a third-party app.
Twitter hasn’t yet commented on the incident on any of its official accounts or its official blog. We’ve contacted Twitter about the security flaw but haven’t yet heard from them.