By Venkatesh Sundar, Chief Technology Officer, Indusface
TweetDeck, the popular social media dashboard application for management of Twitter accounts, had to be temporarily shut down today, after being found vulnerable to cross-site scripting (XSS).
The incident occurred reportedly as an accident when an Austrian teenager succeeded in using the ♥ symbol by creating an opening in TweetDeck’s software. After trying the same message a couple of times, he announced the discovery of the vulnerability in TweetDeck, via a tweet. By the time he informed Twitter about the vulnerability, the hacker’s community had already ensured a mass TweetDeck hijacking.
Users were alerted when they started receiving strange pop-ups, meanwhile, their TweetDeck app was busy re-tweeting tweets from “andy” (@derGeruhn ) over 40,000 users’ systems. Efforts to un-retweet these messages, resulted in an error message and did not cause any effect on the original message.
Could this have been avoided?
Could this have resulted in more damage?
The answer, unfortunately, is again, Yes.
As we have explained in a previous post, hackers frequently use XSS to execute scripts in the victim’s applications which can hijack user sessions, deface websites, or redirect the user to malicious sites. This attack for TweetDeck could have easily resulted in a major brand tarnishing episode. Quick action on their part helped, and also the fact that the initiator informed them of the vulnerability quickly. But this is not always the case. Loss of millions, even billions of dollars can be prevented by enterprises if a few steps are taken to protect a web application:-
Even though Twitter has announced that the security issue infecting TweetDeck has been fixed, the probability of the bug providing hackers access to your login credentials is quite high. Therefore it’s a good idea to change your password for TweetDeck and any other accounts where you were repeating the same password.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.