Twitter has re-enabled the TweetDeck application after taking it down following successful exploitation of a cross-site scripting issue.
TweetDeck is a popular social media dashboard application used for managing Twitter accounts. Earlier in the day, Twitter advised TweetDeck users that it had fixed a security issue and told them to logout and log back in to fully apply an update. An hour after that however, Twitter disabled the application, before re-enabling it an hour later.
At the center of the situation was a bug that enabled cross-site scripting attacks, researchers said.
“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet,” Trey Ford, Global Security Strategist at Rapid7, explained in a statement. “The current attack we’re seeing is a worm that self-replicates by creating malicious tweets. It looks like this primarily affects users of the TweetDeck plugin for Google Chrome.”
“This worm hearkens back to the MySpace ‘Samy Worm’ in 2006, except for one key step- this worm does not appear to have the ability to force your account to follow the attacker,” he said.
Taking a quick look at Twitter shows lots of attempts to exploit this flaw still flying around, even though Twitter has now patched the issue, noted Chester Wisniewski, senior security advisor at Sophos.
“People have suggested this was not malicious, but I disagree,” he argued. “Creating a network worm even if only being used to spread a warning message is still malicious activity no matter how you cut it.”
The vulnerability caused a stir among TweetDeck users. In a short period of time, the issue was exploited to cause tens of thousands of users to retweet a single message.
“Cross site scripting attacks aren’t new and represent just one of the many vulnerabilities application developers need to consider when building an app like Tweetdeck,” Krishna Narayanaswamy, chief scientist at Netskope, told SecurityWeek. “What’s especially dangerous here though is the nature of social media is to share — good or bad, it’s designed to spread something far and wide. Just as Twitter has jumped to action to ensure they’re leveraging validation checks and other best practices, so should every app provider, especially those with mass appeal like this.”
“The guidance from TweetDeck is simple and correct – log out, and log back in,” said Ford. “One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat.”