Posted by Kevin on June 12, 2014.
OK, so what’s this all about? The first thing to note is the speed of TweetDeck’s reaction. As soon as they realised the problem, they shut down, fixed it, and restarted in just about one hour. So we’re safe now, yes?
No, we’re never safe. All we can do is make a judgment on whether the benefits we receive exceed the risks we take. Personally, I have revoked TweetDeck’s access to my Twitter account and will leave it revoked for a while yet. The reason is that yesterday’s kerfuffle revolved around the public disclosure of a flaw that was always (or at least as long as since the last code update) in TweetDeck itself. If one (now known) exists, how can we be certain that others (still unknown to TweetDeck and the public) also exist?
Violet Blue makes a valid statement in ZDnet:
TweetDeck was already broken, and it had been all along. It’s highly likely that this vulnerability has been exploited quietly by others until now. While today’s antics were harmless — though, embarrassing for some and inconvenient for others — other uses of this vulnerability until today were probably no so light-hearted.
TweetDeck wasn’t actually hacked, and everyone was silly
Over the next few weeks we can be certain that security researchers will be probing TweetDeck (and other Twitter apps) looking for other flaws. Hackers will be doing the same. So I for one am going to give the good guys time to find and report any other flaws before the bad guys find and exploit them. Then I’ll be back.
But what happened here? This was an XSS flaw – the most common of all internet code flaws – in TweetDeck rather than Twitter (Twitter owns TweetDeck). “In this case Twitter user @firoxl accidentally uncovered the flaw when looking for a way to post an emoticon; and others quickly piled on, using the flaw to force automated retweets,” explained Michael Sutton, VP of security research at Zscaler, in an email.
“Any organization that runs a website should be testing their code for these vulnerabilities before they go into production,” warned Tom Cross, director of security research at Lancope. “In this case, the consequence of the attack is mostly the ability to create annoying pop-ups that spread virally between users, but in other contexts XSS vulnerabilities can have more serious implications, which is why its important to check for them.”
Rapid7‘s Trey Ford gave more details:
Tweetdeck appears to have jumped on this issue and patched it, but we’re still seeing it spread like wildfire through Twitter. This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we’re seeing is a “worm” that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome.
The guidance from Tweetdeck is simple and correct – log out, and log back in. One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat.
(featured Twitter Bird photo copyright Marisa Allegra Williams (@marisa) for Twitter, Inc.)Submitted in: News, News_hacks |