Twitter fixed a cross-site scripting flaw in its popular TweetDeck application Wednesday, after millions of users were hit with a malicious script targeting the vulnerability.

The vulnerability allowed anyone to place a script in a tweet. Once the tweet appeared inside TweetDeck, the code could execute actions and be automatically re-tweeted to other accounts. The XSS vulnerability did not require any user interaction; simply viewing the tweet was sufficient.

“The current attack we’re seeing is a ‘worm’ that self-replicates by creating malicious tweets,” said Trey Ford, a global security strategist at Rapid7.

Twitter rolled out a fix for the security flaw fairly quickly and informed users via a tweet: “A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.” However, it turned out the fix wasn’t valid, and the site was temporarily disabled for about an hour.

Even with the application patched, end-users still have to log out and back in to get the fix. XSS attacks can be used to steal user sessions so logging out of the application is necessary to ensure the session ID is no longer valid.

Ford said the XSS bug seems to affect only users using TweetDeck from Google Chrome, but there were reports other users on other platforms, such as Internet Explorer 9, were also affected.

The XSS attack resembled an Internet worm, much like the MySpace ‘Samy Worm’ in 2006, as it replicated and spread from account to account, said Ford. Even after the vulnerability was fixed, it still “spread like wildfire through Twitter,” he said.

For example, a Twitter account used by BBC to post breaking news items (@BBCBreaking) wound up posting a script to over 10 million followers.

“This could easily been a Malware drive by which would have had a major effect,” said Barry Shtieman, director of security strategy at Imperva.

Organizations who use TweetDeck to manage their Twitter accounts need to make sure they log out of the application entirely and log back in.

Fahmida Y. Rashid is an accomplished security journalist and technologist. She is a regular contributor for several publications including where she is a networking and security analyst.  She also was a senior writer at eWeek where she covered security, core Internet infrastructure and open source. As well, she was a senior technical editor at CRN Test Center reviewing open source, storage, and networking products. 

Leave a Reply