So this Twitter bomb is spreading like wildfire – it works by overlaying the Twitter page in an invisible iframe (spotted by @peterc).
As most people stay logged in to Twitter, when they click the ‘Don’t click’ button (who can resist?!), it actually submits a tweet for you.
I’m not sure if this is exploiting any vulns at all. Some people are crying out ‘XSRF!!’ etc, but I’m not sure this is the case.
See attached screenies for firebug explanation :)
See Simon Willison’s presentation on web security for a more thorough explanation of click jacking and other exploits.
update: looks like Twitter have reacted