Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Twitter Fixes TweetDeck XSS Security Vulnerability

Twitter has re-enabled the TweetDeck application after taking it down following successful exploitation of a cross-site scripting issue.

Twitter has re-enabled the TweetDeck application after taking it down following successful exploitation of a cross-site scripting issue.

TweetDeck is a popular social media dashboard application used for managing Twitter accounts. Earlier in the day, Twitter advised TweetDeck users that it had fixed a security issue and told them to logout and log back in to fully apply an update. An hour after that however, Twitter disabled the application, before re-enabling it an hour later. 

At the center of the situation was a bug that enabled cross-site scripting attacks, researchers said.

“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet,” Trey Ford, Global Security Strategist at Rapid7, explained in a statement. “The current attack we’re seeing is a worm that self-replicates by creating malicious tweets. It looks like this primarily affects users of the TweetDeck plugin for Google Chrome.”

“This worm hearkens back to the MySpace ‘Samy Worm’ in 2006, except for one key step- this worm does not appear to have the ability to force your account to follow the attacker,” he said.

Taking a quick look at Twitter shows lots of attempts to exploit this flaw still flying around, even though Twitter has now patched the issue, noted Chester Wisniewski, senior security advisor at Sophos.

“People have suggested this was not malicious, but I disagree,” he argued. “Creating a network worm even if only being used to spread a warning message is still malicious activity no matter how you cut it.”

The vulnerability caused a stir among TweetDeck users. In a short period of time, the issue was exploited to cause tens of thousands of users to retweet a single message.

“Cross site scripting attacks aren’t new and represent just one of the many vulnerabilities application developers need to consider when building an app like Tweetdeck,” Krishna Narayanaswamy, chief scientist at Netskope, told SecurityWeek. “What’s especially dangerous here though is the nature of social media is to share — good or bad, it’s designed to spread something far and wide. Just as Twitter has jumped to action to ensure they’re leveraging validation checks and other best practices, so should every app provider, especially those with mass appeal like this.”

“The guidance from TweetDeck is simple and correct – log out, and log back in,” said Ford. “One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.