Twitter's security team said it has fixed a serious vulnerability on the site that created micro-blogging mayhem on Tuesday.

The cross-site scripting flaw on the Twitter.com site creates a means for posting code into updates that activated when users rolled their mouse over a link. Moving a mouse over redacted (blacked out) tweets was especially dangerous.

Thousands of people were caught out by the vulnerability, including the former prime minister's wife, Sarah Brown. The bug was largely used for mischief but there were reports of porn and shock site redirects, along with profile corruption and various other unpleasant side effects.

Security watchers warned the flaw might easily be harnessed in phishing attacks so it's just as well Twitter's security team in California roused themselves from sleep to plug the flaw, around two hours after it first appeared.

Del Harvey, head of Twitter's trust and safety team, said.

The XSS attack should now be fully patched and no longer exploitable. Thanks, those reporting it.

Users were able to shield themselves from affected tweets in TweetDeck by filtering out Tweets bearing the phrase "onmouseover=". A video of the effects of the vulnerability, and the worm it spawned, can be found from F-Secure here. ®

Related stories

• Twitter 'Stalker app' just a phishing scam (12 August 2011)

  https://www.theregister.com/2011/08/12/twitter_stalker_app_phishing_scam/

• Twitter settles with FTC over celeb account hacks (14 March 2011)

  https://www.theregister.com/2011/03/14/twitter_ftc_celeb_hack_settlement/

• Twitter turns entire accounts into ads (4 October 2010)

  https://www.theregister.com/2010/10/04/twitter_promoted_accounts/

• Anti-virus vendor trio plug website flaws (4 October 2010)

  https://www.theregister.com/2010/10/04/anti_virus_vendor_xss_snafu/

• PayPal plugs mobile site phishing risk (30 September 2010)

  https://www.theregister.com/2010/09/30/paypal_mobile_xss_plugged/

• Tweety profs offer political smear-meme 'truthiness' ratings (29 September 2010)

  https://www.theregister.com/2010/09/29/truthy_truthy/

• WTF worm makes Twitterers declare goat lust (27 September 2010)

  https://www.theregister.com/2010/09/27/twitter_wtf_worm/

• Twitter blames website upgrade for re-introducing XSS hole (22 September 2010)

  https://www.theregister.com/2010/09/22/twitter_xss_genesis/

• Twitter flaw creates micro-blogging mayhem (21 September 2010)

  https://www.theregister.com/2010/09/21/twitter_hack_mayhem/

• Mexican Twitter-controlled botnet unpicked (15 September 2010)

  https://www.theregister.com/2010/09/15/mexican_twitter_botnet/

• Twitter bug creates account hijacking peril (7 September 2010)

  https://www.theregister.com/2010/09/07/twitter_click_and_get_hacked/

• iPad scammers hack Kirstie Allsopp's Twitter (6 September 2010)

  https://www.theregister.com/2010/09/06/allsopp_twitter_hack/

• Fake TweetDeck update lures prompt password resets (31 August 2010)

  https://www.theregister.com/2010/08/31/tweetdeck_trojan_scam_warning/

• Obama Twitter hacker avoids jail (25 June 2010)

  https://www.theregister.com/2010/06/25/obama_twitter_hacker/

• Twitter reaches settlement with feds over privacy lapses (24 June 2010)

  https://www.theregister.com/2010/06/24/twitter_ftc_settlement/

• Britney's Twitter feed hacked again (12 November 2009)

  https://www.theregister.com/2009/11/12/spears_twitter_hack/

• Twitter's underwear exposed after Google Apps hack (15 July 2009)

  https://www.theregister.com/2009/07/15/twitter_hack_exposes_data/

• Twitter users hit by smut spam hack attack (9 March 2009)

  https://www.theregister.com/2009/03/09/twitter_smut_spam_hack/

• Kanye West blames Gmail hijack for bisexual porn hoax (26 January 2009)

  https://www.theregister.com/2009/01/26/kanye_west_hacked/

• Password guessing attack exposed in Twitter pwn (7 January 2009)

  https://www.theregister.com/2009/01/07/twitter_hack_explained/

• Twitter's veracity chewed up by Britney's four-foot vagina (6 January 2009)

  https://www.theregister.com/2009/01/06/twitter_attacks/