Update: Twitter has addressed the issue on the main company blog:
The short story: This morning at 2:54 am PDT Twitter was notified of a security exploit that surfaced about a half hour before that, and we immediately went to work on fixing it. By 7:00 am PDT, the primary issue was solved. And, by 9:15 am PDT, a more minor but related issue tied to hovercards was also fixed.
The longer version of the story can be read on the blog.
"Messages are also spreading virally exploiting the vulnerability without the consent of users," says security expert Graham Cluley at Sophos. "Thousands of Twitter accounts have posted messages exploiting the flaw. Victims include Sarah Brown, wife of the former British Prime Minister."
Brown's account was displaying a Japanese porn site. "That's obviously bad news for her followers - over one million of them," says Cluley, who created the following video about the flaw:
A post on the Twitter status blog, from 12 minutes ago, indicates they have things under control. "We've identified and are patching a XSS attack; as always, please message @safety if you have info regarding such an exploit," it says.
Twitter still has to roll the patch out though. That could take a while to be completed, so consider that. The blog will be updated when the roll-out is complete.