According to The Guardian Technology Blog, a Japanese developer reported the XSS vulnerability to Twitter on August 14. The company launched a new site September 14, and the new site still had the vulnerability.
Twitter said Tuesday afternoon it had fixed the vulnerability, but not before countless malicious Tweets had been sent.
“We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit,” the company said in a status message posted at 6:25 a.m.
The exploit was perfectly simple. You see, when you send a Tweet with a link attached, the URL is converted to a hyperlink. The exploit changed the way the link was translated when you hovered your mouse over it to click.