By Venkatesh Sundar, Chief Technology Officer, Indusface

sql_injection

TweetDeck, the popular social media dashboard application for management of Twitter accounts, had to be temporarily shut down today, after being found vulnerable to cross site scripting (XSS).

The incident occurred reportedly as an accident, when an Austrian teenager succeeded in using the ♥ symbol by creating an opening in TweetDecks’s software. After trying the same message a couple of times, he announced the discovery of the vulnerability in TweetDeck, via a tweet. By the time he informed Twitter about the vulnerability, the hackers community had already ensued a mass TweetDeck hijacking.

If you are wondering how a single tweet caused such massive disruption in the tweet world, let us take you through a little more detail. Cross site scripting, commonly known as XSS, refers to a weakness in the design of a website which can then be used by an attacker to inject a malicious code into a website or web application, causing it to sway from its determined function. In this case, the XSS in TweetDeck allowed JavaScript to become plain text where a computer code was inserted, which when viewed in a user’s TweetDeck, retweeted itself as a code.  The result was a worm which even though unable to force the user to follow the attacker, did cause considerable damage as it replicated with the simple act of viewing and did not restrict itself to infect, only when clicked upon.

Users were alerted when they started receiving strange pop ups, meanwhile, their TweetDeck app was busy re-tweeting tweets from “andy” (@derGeruhn ) over 40,000 users’ systems. Efforts to un-retweet these messages, resulted in an error message and did not cause any effect on the original message.

Could this have been avoided?

Yes.

Could this have resulted in more damage?

The answer unfortunately is again, Yes.

As we have explained in a previous post, hackers frequently use XSS to execute scripts in the victim’s applications which can hijack user sessions, deface websites, or redirect the user to malicious sites. This attack for TweetDeck could have easily resulted into a major brand tarnishing episode. Quick action on their part helped, and also the fact that the initiator informed them of the vulnerability quickly. But this is not always the case. Loss of millions, even billions of dollars can be prevented by enterprises if few steps are taken to protect a web application:-

  1. Exercising caution when clicking on links that look suspicious ( Of course in this case, viewing was enough to get the code into action )
  2. An active vigil should be practiced by your security vendor while assessing the safety of your applications. Continuous vulnerability assessments of your applications help you in finding the vulnerabilities before the hacker does, and fixing them. The flaw that was exploited in TweetDeck existed since 2011. Apparently TweetDeck missed fixing this flaw. A scan done by  IndusGuard Web/Mobile could have easily saved them from all the bad press.IndusGuard Web helps in securing organizations’ web applications with automated and manual scanning to detect all vulnerabilities. Similarly, IndusGuard Mobile helps in securing your mobile applications from such malicious attacks and loss of sensitive data.
  3. Add a Web Application Firewall (WAF) to your defense layers. Gartner mentioned in a recent report that any organization which owns a public website, makes internal Web Applications available to partners and clients, or has business critical internal web applications, should consider investing in WAF. In the attack on TweetDeck, the tweet that started it all, was added with a script which forced the simulation of the retweet button. A WAF could have blocked the keywords resulting in the formation of the malicious script and could have prevented the attack altogether.

Even though Twitter has announced that the security issue infecting TweetDeck has been fixed, the probability of the bug providing hackers access to your login credentials is quite high. Therefore it’s a good idea to change your password for TweetDeck and any other accounts where you were repeating the same password.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.