Just to confirm, my picture post guessing at a potential XSS vulnerability from over 3 hours ago proved itself to be exactly that.

The vulnerability is caused by URLs not being cleaned/escaped properly. By adding JavaScript to the end of a URL, you can effectively execute whatever you like as long as it’s within 140 chars (including pretty rainbow coloured tweets). Unfortunately, this is no limiter though; by calling upon the powers of JavaScript libraries you can reference external JS files that then cause more damage. Tweeting rainbows is harmless enough, but JavaScript is pretty powerful and can be used to obtain session tokens, follow people you don’t want to be following, send DMs and tweets, etc.

The safest thing to do at this point in time is to simply avoid the twitter.com website. Non-web/non-JavaScript clients are risk free, and may enable you to delete any RTs etc that you may have inadvertently spread. You can also use the Firefox NoScript extension to block twitter.com/twimg.com which is nice and safe, but basically breaks the twitter website.

You can now give me cookies for calling this first.