Tweetdeck has an XSS flaw. Here’s what you should do right now

  • 11 June 2014
  • 4 replies
  • 1120 views

Userlevel 7
Badge +54
Graham Cluley | June 11, 2014
 
A potentially serious security flaw has been found in Tweetdeck, a popular Twitter client.
At the time of writing the cross-site scripting (XSS) flaw doesn’t appear to have been exploited maliciously.
But that doesn’t mean you should rest on your laurels – after all, information about how to exploit the flaw is out there, and it is easy to imagine how someone could take advantage of it with malicious purposes.
 
http://cdn.grahamcluley.com/wp-content/uploads/2014/06/xss.jpg
XSS in Tweetdeck
 
Full Article

4 replies

Userlevel 7
Badge +54
A bit more information.
 

Log out, revoke permissions, microwave your boxen - you know the drills

By Jack Clark, 11 Jun 2014

 
Twitter aficionados are being warned to log out of Twitter client TweetDeck and revoke its access to their accounts after an apparent cross-site scripting vulnerability was discovered.
Multiple users – including El Reg's HQ in London, England – reported on Wednesday that they had seen a suspicious pop-up within Tweetdeck that said “XSS in Tweetdeck”.
 This exploit was able to execute arbitrary JavaScript in the user's browser – this is very bad as it means a hacker could potentially exploit the flaw to hijack an account, redirect the browser page to somewhere nasty, unleash eldritch digital horrors (and, yes, open pop-ups).
 
Full Article
 
Userlevel 7
Thanks for posting this story, Jasper! As a Tweetdeck user, I'm glad I haven't logged in today.
 
In addition to the stories you posted, SC Magazine UK posted some good coverage of the story, with quotes from Webroot's very own Director of Product Marketing, George Anderson. Here's what he said in an email to SC Magazine (you can find the full story here): 
 
"As Tweetdeck is a web app, sugning out might help to contain the infection, as long as users devices are not already infected. Because XSS steals the cookiesign-on information, users should get rid of all saved passwords, as wells as sign-in again on a secure browser session and change their logins. It's also best not to use Tweetdeck as long as it remains infected."
 
Update: ABC is reporting that Twitter has patched the Tweetdeck vulnerability as of a few hours ago. You can read that report here

 



 
(Source: SC Magazine UK) 
Userlevel 7
Badge +54
The story from ars technica with some figures.

 
by Dan Goodin - June 11 2014
 

Running TweetDeck? It may have been hijacked by tweets containing attack code.

                                                                                 



 
Twitter on Wednesday was briefly overrun by a powerful computer worm that caused tens of thousands of users to tweet a message that contained self-propagating code exploiting a bug in the TweetDeck app.
Within a few hours, the cross-site scripting (XSS) attack caused at least 37,000 84,700 users to retweet a single message originally transmitted by the user@derGeruhn. The body of the message contained JavaScript commands that caused anyone viewing it in TweetDeck to automatically retweet it. The message spread virally. The more times it was retweeted, the more times it was viewed and retweeted by other people using the vulnerable app. The BBC News Twitter account alone pushed the message to 10.1 million followers.
 
Full Article
 
 
 
Userlevel 7
Badge +56
Some coverage with quotes from our own George Anderson:
 
http://www.itpro.co.uk/security/22460/tweetdeck-users-urged-to-restart-app-to-avoid-xss-attack
 
http://www.dailymail.co.uk/sciencetech/article-2655890/TweetDeck-crashed-Austrian-teen-love-heart-symbol.html
 
http://www.dailymail.co.uk/sciencetech/article-2655397/Twitter-forced-shut-Tweetdeck-amid-major-security-breach.html

Reply