Tweetdeck taken down after major security bug found

Tweetdeck taken down after major security bug found
written by Andrea Peterson

A major vulnerability rocked Tweetdeck, the popular social media management tool owned by Twitter, Wednesday.

Tweetdeck initially confirmed the issue via tweet, naturally, and advised users to log out out of the platform and log back in to fix the problem.

A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.

— TweetDeck (@TweetDeck) June 11, 2014

 

But then Tweetdeck took down their services entirely so they could “assess” the issue.

We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.

— TweetDeck (@TweetDeck) June 11, 2014

 

The issues appears to have been a javascript cross-site scripting, or XSS, error primarily affecting users accessing the platform via Google’s Chrome browser. Basically, that means if a Tweet contained javascript, the platform would automatically run it.

A lot of users seemed to be using it to make the site deliver funny messages — like this one the reporter received:

(Andrea Peterson/Washington Post)

(Andrea Peterson/Washington Post)

But experts say a savvier scripter could do more nefarious things. Mikko Hypponen, the chief research officer at F-Secure Mobile who discovered a similar cross-site scripting error in Tweetdeck back in 2011, says this kind of issue could be used to make users share tweets linking to malicious content — or even be used to spread a worm-like attack where a user is forced to send tweets that direct others to do the same.

Indeed, Trey Ford, a global security strategist at cybersecurity company Rapid7, says his company is seeing that problem already.

Twitter’s 140-character limit isn’t a barrier to this type of issue, Hypponen says, because the script could just refer a user to a run javascript that is remotely hosted elsewhere on the web. Scott Montgomery, vice president of public sector solutions at cybersecurity firm McAfee, agrees with Hypponen that 140 characters “is plenty” for a cross-site script attack to link off to remotely hosted code, but he doesn’t think the Tweetdeck bug is as serious as some other major vulnerabilities in the news lately, like Heartbleed.

Plus, he says, Twitter responded very quickly to the issue. “The time between when the exploit was announced and when the fix came was actually pretty short,” Montgomery noted. However, the real question, he says, is just how long the code remained in the wild and who may have been exploiting it during that time.





The Switch

You must be logged in to post a comment Login