Today's XSS onmouseover exploit on twitter.com

Question

Can you explain what exactly happened on Twitter today? Basically the exploit was causing people to post a tweet containing this link:

http://t.co/@\"style=\"fon         


        

Answer 1

From Wikipedia: "Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users."

Today's attack fits the bill to me.

Basically there was some sort of parsing error with Twitter.com display code. When they converted URLs to HTML hyperlinks, they weren't handling @ characters correctly and this was causing javascript events to be inserted into the HTML link.