Twitter users were victims of a cross-site scripting (XSS) vulnerability today as users reported message pop-ups and third-party websites being accessed without consent.
In a statement, Twitter said the exploit is now fully patched. "We have identified and are patching an XSS attack; as always, please message @safety if you have info regarding such an exploit," said Twitter.
In a blog post, Sophos security expert Graham Cluley said, "It looks like many users are currently using the flaw for fun and games, but there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed.
"Some users are also seemingly deliberately exploiting the loophole to create tweets that contain blocks of colour, known as 'rainbow tweets'. Because these messages can hide their true content they might prove too hard for some users to resist clicking on them," he added.
Cluley advised users to use a third-party Twitter client rather than Twitter.com until the flaw is fixed.