Twitter restores TweetDeck service after XSS worm floods victims' feeds
Takes TweetDeck offline for an hour to double-check its fix
Computerworld - Twitter took its browser-based TweetDeck service offline Wednesday as it wrestled with a vulnerability that criminals exploited to tweet script-filled messages to victims' feeds.
"We've temporarily taken TweetDeck services down to assess today's earlier security issue," Twitter's TweetDeck account reported at 1 p.m. ET, 10 a.m. PT.
An hour later, the service was back up and running. "We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience," TweetDeck said, again on Twitter, at 1:55 p.m. ET, 10:55 a.m. PT. Computerworld confirmed by logging into an account at tweetdeck.twitter.com.
A cross-site scripting (XSS) vulnerability was to blame, researchers quickly said.
"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross-site scripting (XSS) attacks to be run by simply viewing a tweet," said Trey Ford, a security strategist at Rapid7, in an email. "The current attack we're seeing is a 'worm' that self-replicates by creating malicious tweets."
The vulnerability primarily affected users who had installed the TweetDeck Web app designed for Google's Chrome browser, but there were scattered reports that the bug also impacted the Windows client application and the Web app for Firefox.
Twitter itself, including its website-based feed and those it served to its own and third-party desktop and mobile clients, was unaffected.
Earlier Wednesday, TweetDeck urged users to log out of the service, then log back in, a process that was meant to clear users' sessions and thus prevent any additional malicious tweeting. Some who followed instructions, however, continued to see unauthorized tweets on their feeds.
Rapid7's Ford compared the TweetDeck problem to the "Samy" worm that crawled through MySpace nine years ago. Named for its maker, Samy Kamkar -- who later pled guilty to hacking charges and served three years of probation -- the worm exploited a cross-site scripting vulnerability in the then-popular MySpace social network. The worm automatically made friend requests to Kamkar, and spread when victims viewed their profiles.
"This [TweetDeck] worm does not appear to have the ability to force your account to follow the attacker," Ford asserted.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts