TweetDeck Hacked and Fixed
Image source: Rappler
In case you didn't notice, yesterday was TweetDeck's turn to patch a security vulnerability, namely a XSS "cross-site scripting" exploit that caused malicious pop-ups in TweetDeck to some users and allowed hackers gain control over affected accounts. Users reported receiving pop-ups saying 'Please, close TweetDeck, it is not safe' and 'XSS.'
TweetDeck is Twitter's native client that allows users to manage and customize their timeline, lists, create filters and manage more than one Twitter account from one interface.
On Wednesday morning many TweetDeck users got an unpleasant surprise when they saw their favorite Twitter client, which is available as a web app, desktop program and browser extension for Firefox and Chrome, displaying pop-ups of odd nature. Truth be told, Google Chrome extension of TweetDeck seems to be the most affected, even though reports were coming from users of desktop versions of the app, too.
As explained by Gigaom, a XSS vulnerable app (TweetDeck) can be injected with a Javascript code, so the app starts parsing the malicious command as if it was its native function.
Once appalled tweets reached Twitter support, the company admitted there was a TweetDeck security 'issue,' and advised users should log out and log back in. Voilà!
Alas, that didn't fix it, and some users with prominent Twitter profiles started reporting even worse problems - their accounts were re-tweeting the script causing the pop-ups to everyone else, so apparently the script could be executed remotely.
So Twitter had to temporarily make TweetDeck inaccessible to everyone and release a 'verified fix' to the exploit.
In the meantime, it is advisable you revoke access to TweetDeck from your Twitter account and change your Twitter password. It is still unclear how deep the accounts might have been affected, but it's better to be on the safe side.
You can revoke TweetDeck access by going to your Twitter account Settings -> Apps -> click Revoke Access next to TweetDeck. You can also clean browser's cache just in case.
For how long, you ask? The Verge did a bit of a retrospection on the XSS exploit in TweetDeck and it dates back to 2011 case of Mikko Hypponen, when the researcher first encountered the flaw. Twitter support reported the patch has been released almost immediately, just like now. A lot of high-profile accounts were hacked back then, spreading the worm-like self-reproducing malicious code.
Ever since then, the drastic exploit was considered history. Even though the hack seems to affect only the data within TweetDeck permissions reach, we have yet to see whether the flaw has been truly patched. This time, it was accidentally re-discovered by a 19-year old Twitter user @Firoxl, who said it was an accident, not a hack, and reported the exploit to Twitter immediately after discovering it, according to the Verge.
