TweetDeck Taken Offline After XSS Flaw Hits Users

TweetDeck Taken Offline After XSS Flaw Hits Users
TweetDeck Taken Offline After XSS Flaw Hits Users

A cross-site scripting (XSS) vulnerability in Twitter’s popular TweetDeck platform took the site down for several hours on Wednesday.

The problem appears to have stemmed from a simple test tweet by an Austrian teenager with the handle ‘@firoxl’. He accidentally discovered the XSS flaw after trying to find a way to tweet a heart symbol using javascript tags.
After it worked, the 19-year-old announced he’d discovered a vulnerability in TweetDeck and publically notified the service. Eagle-eyed members of the hacking community soon began experimenting with their own exploits, according to CNN Money.
Most of these seemed pretty harmless, coming in the form of pop-ups with messages like “Please close now TweetDeck, it is not safe”.
The vulnerability itself is believed to date back to 2011, although Twitter was supposed to have fixed that particular flaw at the time. The now infamous @firoxl, whose real name is Florian, claims not to have known about it when he started messing about with javascript.
After finding out about the bug on Wednesday, Twitter said it had been fixed and asked users to log out and then back in again to TweetDeck to “fully apply the fix”. However, some users still reported problems, so Twitter was forced to take the service down “to assess today’s earlier security issue”.
The firm then brought TweetDeck back online, claiming that it had now “verified” the fix.
The whole drama of Wednesday was perfectly timed, coming as it did just after Twitter was crowned the most trustworthy site on the web, by the Online Trust Alliance.
Cross-site scripting is one of the most common vulnerabilities affecting web apps, but also one of the most dangerous.
Paco Hope, principal consultant at app security firm Cigital, claimed that the bug could allow an attacker to redirect a victim’s browser to a malicious web page, or even to tweet as that user, “thereby spreading itself”.
“The victim could be attacked if the tweet managed to show up in his stream, which it could do without his knowledge or interaction,” Hope added. “This underscores the importance of finding bugs in code as well as flaws in design.  In this case a bug is all that was necessary to wreak havoc.”

What’s Hot on Infosecurity Magazine?