Thursday, 12 June 2014

TweetDeck flaw uncovered “by accident”

A vulnerability in the official Twitter client Tweetdeck left users open to attack, forcing thousands of users to retweet cryptic lines of code to other users. Twitter repeatedly shut down the service after discovering the Tweetdeck flaw, despite assurances it had been ‘fixed’, according to The Guardian’s report.
The cross-site scripting (XSS) Tweetdeck flaw, described as “potentially serious” by veteran security researcher and We Live Security writer Graham Cluley, affected users on some versions of Tweetdeck’s app, and was first noticed when 40,000 TweetDeck users involuntarily retweeted a “cryptic” line of code sent by a German programmer, according to the Washington Post.
According to the Daily Mail, the flaw was discovered “by accident” by an Austrian teenager who found that typing “&hearts” into TweetDeck created a “cute” loveheart symbol – and Tweeted his find to fellow students.
The vulnerability allowed execution of Javascript code contained within Tweets, which enabled the bug to spread rapidly, using code which forced Tweetdeck users to Retweet it. Other variants caused cryptic “warning” messages to pop up in the Chrome version of TweetDeck, saying “Yo!” or changing the font to Comic Sans.
The flaw only affected users of TweetDeck, a more complex and “advanced” Twitter client available as an app and browser plug-in. Users who accessed Twitter via browsers, or via other apps such as Twitter or Echofon were unaffected.
“Firo”, the Austrian student who discovered – and accidentally unleashed – the vulnerability said in an interview with CNN, “It’s horror that TweetDeck made that mistake. It’s horror that [hackers] are using this issue. I don’t know. I’m sad in a way.”
Twitter said in a Tweet via the official Tweetdeck account that the flaw had been fixed late on Wednesday, saying, “A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.”
Users, however, reported that the problems caused by the flaw continued. The official TweetDeck account acknowledged this, and said that the service had been taken down again to “verify” the  fix.
Later, the firm Tweeted, “We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.”

No comments:

Post a Comment