"Twitter OnMouseOver Incident," TechCrunch
Either a lot of Techies are into really kinky things, or there is a Twitter worm going around. It looks like a ton of people just started sending out Tweets saying “I Like Anal Sex With Goats.” This Tweet is followed by another one that says “WTF” and includes a link. Do NOT click on this link; it appears that it will cause you to send out the same series of Tweets from your account.
Twitter allows a URL to send a tweet. Many sites and retweet buttons and such rely on it. No POST, no nonce, nothing. Just a simple HTTP GET triggers a tweet. Clearly, someone was going to exploit this eventually. Authentication is not the same as intention. You can’t just determine that a user is allowed to do something, but also that they intended to do something. When intent is not established, and especially when the form can be submitted via a GET request, it makes these kinds of exploits child’s play, as you can see by the complete exploit code below. It’s called a cross-site request forgery, or CSRF (or XSRF).
A malicious link is making the rounds that will post a tweet to your account when clicked on. Twitter has disabled the link, and is currently resolving the issue.