TweetDeck flaw uncovered “by accident”

A vulnerability in the official Twitter client Tweetdeck left users open to attack, forcing thousands of users to retweet cryptic lines of code to other users. Twitter repeatedly shut down the service after discovering the Tweetdeck flaw, despite assurances it had been ‘fixed’, according to The Guardian’s report.
The cross-site scripting (XSS) Tweetdeck flaw, described as “potentially serious” by veteran security researcher and We Live Security writer Graham Cluley, affected users on some versions of Tweetdeck’s app, and was first noticed when 40,000 TweetDeck users involuntarily retweeted a “cryptic” line of code sent by a German programmer, according to the Washington Post.
According to the Daily Mail, the flaw was discovered “by accident” by an Austrian teenager who found that typing “&hearts” into TweetDeck created a “cute” loveheart symbol – and Tweeted his find to fellow students.
The vulnerability allowed execution of Javascript code contained within Tweets, which enabled the bug to spread rapidly, using code which forced Tweetdeck users to Retweet it. Other variants caused cryptic “warning” messages to pop up in the Chrome version of TweetDeck, saying “Yo!” or changing the font to Comic Sans.
The flaw only affected users of TweetDeck, a more complex and “advanced” Twitter client available as an app and browser plug-in. Users who accessed Twitter via browsers, or via other apps such as Twitter or Echofon were unaffected.
“Firo”, the Austrian student who discovered – and accidentally unleashed – the vulnerability said in an interview with CNN, “It’s horror that TweetDeck made that mistake. It’s horror that [hackers] are using this issue. I don’t know. I’m sad in a way.”
Twitter said in a Tweet via the official Tweetdeck account that the flaw had been fixed late on Wednesday, saying, “A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.”
Users, however, reported that the problems caused by the flaw continued. The official TweetDeck account acknowledged this, and said that the service had been taken down again to “verify” the  fix.
Later, the firm Tweeted, “We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.”

Kids hack Canadian ATM during LUNCH HOUR

Two Canadian kids have made a mockery of bank security by hacking into an automatic teller machine during a break between classes.
The 14 year old duo Caleb Turon and Matthew Hewlett broke into a Bank of Montreal ATM during school lunch by following an online manual for accessing the machine's administrator functions.
The security charade continued when the pair, after being asked by the bank's head of security for proof of their hack, simply broke back into the machine and printed off information including transaction data, surcharge profits and the total cash held in the unit.
Turon and Hewlett gained access to that data by guessing the administrator password on their first attempt, indicating the ATM had default settings enabled.
The rascals took it upon themselves to perform a civic duty by dropping the surcharge for transactions to one cent and changing the welcome display screen to: "Go away. This ATM has been hacked".
Hewlett told the Winnipeg Sun they did not expect the hack to work.
"We thought it would be fun to try it, but we were not expecting it to work," he said.
The bank wrote the pair a lunch late note excusing them as they were "assisting BMO with security".
The kids may have discovered one of a handful of websites that contained very detailed documentation explaining how to access administrative functions of ATMs.
Those forums existed ostensibly to help service people to access a variety of ATM makes and models but could be used by criminals (or apparently children) to break into the units.
The bank said customer information was not compromised and it would review security of its ATMs.