We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.
Early this morning, a user noticed the security hole and took advantage of it on Twitter.com. First, someone created an account that exploited the issue by turning tweets different colors and causing a pop-up box with text to appear when someone hovered over the link in the Tweet. This is why folks are referring to this an "onMouseOver" flaw -- the exploit occurred when someone moused over a link.
Other users took this one step further and added code that caused people to retweet the original Tweet without their knowledge.
Posted on September 21, 2010