The site was overrun on Tuesday morning with posts discussing a programming flaw that pranks users, spread worms, and sends porn to unsuspecting Tweeters.
The New York Times reported that one offending post included an “onmouseover” command that caused messages to pop up and sites to open automatically when a pointer hovered over it.
The script caused some users to forward the offending links to their followers — similar to the many Facebook worms that have been found over the past few years.
Twitter hasn’t issued a statement yet, but posted a status page message saying: "We’ve identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit." At 9:50 Eastern time Twitter said it had fixed the flaw. (XSS is short for "cross site scripting" and refers to Web-application flaws that enable hackers to inject scripts into Web sites.)
News outlets reported that due to the worm, Sarah Brown, wife of former British prime minister Gordon Brown, was circulating a link on her Twitter page that sent users to a hardcore Japanese porn site.
Twitter user Magnus Holm, who says he’s a Norwegian Ruby on Rails programmer, appears to have started the slaw.
In an email to the Times, Hold said he just “wanted to experiment with the flaw.”
But the hack isn’t so harmless, and it’s led to other acts of online vandalism.
The Times reported that Holm said one malicious worm “downloaded some nasty code from a Russian server.”
There is no word on law enforcement action yet.