06-11-2014 12:41 PM
Graham Cluley | June 11, 2014
A potentially serious security flaw has been found in Tweetdeck, a popular Twitter client.
At the time of writing the cross-site scripting (XSS) flaw doesn’t appear to have been exploited maliciously.
But that doesn’t mean you should rest on your laurels – after all, information about how to exploit the flaw is out there, and it is easy to imagine how someone could take advantage of it with malicious purposes.
XSS in Tweetdeck
06-11-2014 12:45 PM
A bit more information.
By Jack Clark, 11 Jun 2014
Twitter aficionados are being warned to log out of Twitter client TweetDeck and revoke its access to their accounts after an apparent cross-site scripting vulnerability was discovered.
Multiple users – including El Reg's HQ in London, England – reported on Wednesday that they had seen a suspicious pop-up within Tweetdeck that said “XSS in Tweetdeck”.
06-11-2014 03:03 PM
Thanks for posting this story, Jasper! As a Tweetdeck user, I'm glad I haven't logged in today.
In addition to the stories you posted, SC Magazine UK posted some good coverage of the story, with quotes from Webroot's very own Director of Product Marketing, George Anderson. Here's what he said in an email to SC Magazine (you can find the full story here):
"As Tweetdeck is a web app, sugning out might help to contain the infection, as long as users devices are not already infected. Because XSS steals the cookiesign-on information, users should get rid of all saved passwords, as wells as sign-in again on a secure browser session and change their logins. It's also best not to use Tweetdeck as long as it remains infected."
Update: ABC is reporting that Twitter has patched the Tweetdeck vulnerability as of a few hours ago. You can read that report here.
(Source: SC Magazine UK)
06-11-2014 03:51 PM
The story from ars technica with some figures.
by Dan Goodin - June 11 2014
Twitter on Wednesday was briefly overrun by a powerful computer worm that caused tens of thousands of users to tweet a message that contained self-propagating code exploiting a bug in the TweetDeck app.
Within a few hours, the cross-site scripting (XSS) attack caused at least
06-12-2014 10:00 AM
Some coverage with quotes from our own George Anderson: