TweetDeck, the popular social media dashboard application for management of Twitter accounts, had to be temporarily shut down today, after being found vulnerable to cross-site scripting (XSS).
The incident occurred reportedly as an accident when an Austrian teenager succeeded in using the ♥ symbol by creating an opening in TweetDeck’s software. After trying the same message a couple of times, he announced the discovery of the vulnerability in TweetDeck, via a tweet. By the time he informed Twitter about the vulnerability, the hacker’s community had already ensured a mass TweetDeck hijacking.
If you are wondering how a single tweet caused such massive disruption in the tweet world, let us take you through a little more detail. Cross-site scripting, commonly known as XSS, refers to a weakness in the design of a website which can then be used by an attacker to inject malicious code into a website or web application, causing it to sway from its determined function. In this case, the XSS in TweetDeck allowed JavaScript to become plain text where a computer code was inserted, which when viewed in a user’s TweetDeck, retweeted itself as a code. The result was a worm which even though unable to force the user to follow the attacker, did cause considerable damage as it replicated with the simple act of viewing and did not restrict itself to infect, only when clicked upon.
Users were alerted when they started receiving strange pop-ups, meanwhile, their TweetDeck app was busy re-tweeting tweets from “andy” (@derGeruhn ) over 40,000 users’ systems. Efforts to un-retweet these messages, resulted in an error message and did not cause any effect on the original message.
Could this have been avoided?
Yes.
Could this have resulted in more damage?
The answer, unfortunately, is again, Yes.
As we have explained in a previous post, hackers frequently use XSS to execute scripts in the victim’s applications which can hijack user sessions, deface websites, or redirect the user to malicious sites. This attack for TweetDeck could have easily resulted in a major brand tarnishing episode. Quick action on their part helped, and also the fact that the initiator informed them of the vulnerability quickly. But this is not always the case. Loss of millions, even billions of dollars can be prevented by enterprises if a few steps are taken to protect a web application:-
Even though Twitter has announced that the security issue infecting TweetDeck has been fixed, the probability of the bug providing hackers access to your login credentials is quite high. Therefore it’s a good idea to change your password for TweetDeck and any other accounts where you were repeating the same password.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
This post was last modified on July 28, 2023 15:32
Explore crucial tactics like Asset Inventory, Patch Management, Access Control & Authentication, and additional best… Read More
Delve into the data privacy questions including consent protocols, data minimization strategies, user rights management,… Read More
Secure Node.js APIs using best practices: Employ proper HTTP methods, robust authentication, and API-specific security… Read More