"A malicious link is making the rounds that will post a tweet to your account when clicked on," Twitter wrote on its status blogSunday afternoon.
The offending messages appeared on a user's Twitter feed with "WTF:" followed by a link. If you clicked on that link, you were taken to a blank page, but behind the scenes, the worm would post vulgar messages on your account that discussed, well, sex involving goats.
"Clicking on the WTF link would take you to a webpage which contained some trivial code which used a CSRF (cross-site request forgery) technique to automatically post from the visitor's Twitter account," according to a blog post from Sophos's Graham Cluley. "All the user sees if they visit the link is a blank page, but behind the scenes it has sent messages to Twitter to post from your account."
The message did not spread if you were not signed into your Twitter account at the time. Cluley suggested the attack spread so quickly because people were eager to find out what might warrant a "WTF" label.
Twitter said Sunday evening that it had fixed the exploit and was in the process of removing the offending tweets, but Cluley said that attack "highlighted an obvious security problem in Twitter which must be addressed as a matter of urgency - otherwise we can expect further (perhaps more dangerous) attacks."