Use Tweetdeck? Close it RIGHT NOW or get hacked
Basic XSS security flaw found in Tweetdeck allowing attackers to remotely execute Javascript code
Update: Tweetdeck say the problem is now fixed. Read below for details of the XSS flaw that caused chaos on the service earlier today
A staggering security flaw has been uncovered in the Tweetdeck extension for Chrome that allows attackers to easily execute code on any computer running the Twitter application.
The XSS, or cross site scripting vulnerability, allows Javascript code to execute from within Twitter posts on Tweetdeck. Well coded applications block code from executing in this way.
At present the vulnerability is only being used to show annoying and joke pop-up messages or link to joke websites. One tweet created to exploit the flaw automatically retweeted itself over 30,000 in a matter of minutes while another changed the default font in Tweetdeck.
The vulnerability could be used for very nasty purposes including posting spam tweets, unfollowing people, directing followers towards malicious sites and stealing personal information.
Concerned and shocked Tweetdeck users posted images of the attack being executed to alert others.
Tweetdeck XSS pic.twitter.com/tgT9w0bZ1q
— Andreas Lindh (@addelindh) June 11, 2014
Following widespread reporting of the issue Tweetdeck announced it was taking itself offline to fix the problem.
“We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up,” the Tweetdeck update explained.
An earlier post from Tweetdeck a security issue affecting it this morning had been “fixed”, although it isn’t clear if the two issues are related.
The security issue is believed to only affect the Chrome extension for Tweetdeck and not the desktop version. The XSS vulnerability has been reported on both Windows and Mac versions of the Tweetdeck app for Chrome.
People are strongly advised to not use any version of Tweetdeck until the team behind the application confirm it is safe to do so.
Users should also revoke Tweetdeck’s access to Twitter by going to the Twitter website and clicking Settings, Apps and then ‘Revoke access’ next to Tweetdeck.
George Anderson, director of only security company Webroot said that XSS vulnerabilities were simple to exploit and very dangerous:
“It allows the attacker to run a script, which makes XSS vulnerability so dangerous,. The script is able to send any sensitive information accessible from within the browser back to the hacker,” he explained.
“A potential attacker can gains access to the user’s private information – such as passwords, usernames and card numbers.”
This isn’t the first time an XSS vulnerability has been found in Tweetdeck. A similar issue was reported and fixed back in 2011.
We’ll be updating this story with the latest.