The simple act of reading tweets online on twitter.com could cause somebody to steal your login cookie and potentially get access to your Twitter account – or simply redirect you to a phishing site etc.
The code should also be able to delete all your twitter messages or send a message to all your followers.
James Slater already made Twitter aware of the problem, but so far Twitter apparently haven’t done anything else than to make sure it’s not possible to write a space in the “API field”. I doubt how effective that really is. He therefore urges you to only follow people who you know and not just because they follow you.
In this video, James Slater demonstrates a bit about how it works: