Update (10:00 a.m. ET): A spokesperson for Twitter tells us "This should now be fully patched and is no longer exploitable."

A new Twitter security flaw has been widely exploited on thousands of Twitter accounts, redirecting users to third-party websites without their consent.

The bug is particularly nasty because it works on mouseover only, meaning pop-ups and third-party websites can open even if you just move your mouse over the offending link.

The flaw uses a JavaScript function called onMouseOver which creates an event when the mouse is passed over a chunk of text. We've seen the flaw being abused to launch simple pop-up windows, redirect users elsewhere (including porn sites), and we've also seen it used in combination with blocks of color, covering the true "intention" of the tweet.

For now, the best course of action is using third-party apps such as TweetDeck to access Twitter, as the bug only seems to affect Twitter's web interface. Also, if your Twitter account contains a message abusing the flaw, you can delete it using a third-party app.

Twitter hasn't yet commented on the incident on any of its official accounts or its official blog. We've contacted Twitter about the security flaw but haven't yet heard from them.

You can see an example of a tweet that launches a pop-up if you move the mouse over it below.





