The attack basically exploits an input validation weakness in a field of the form used for adding third-party Twitter clients, such as TweetDeck and Twitterific. The form doesn't fully vet what can go in that box, Slater said, so an attacker can put JavaScript tags there as well as raw HTML code, for instance. "Whatever I type in that box will appear at the end of my tweets," he blogged in a follow-up post. "Anyone who sees that tweet will then be viewing that code."
The link for this article located at Dark Reading is no longer available.