Home What Is XSS, The Vulnerability That Took Down TweetDeck?

What Is XSS, The Vulnerability That Took Down TweetDeck?

If you’re a TweetDeck user, there’s a good chance that you saw a lot of people retweet something like this today:

You may also have gotten a dialogue box from TweetDeck in a browser that reminds you of being on the Internet in 2007.

TweetDeck, a client application for Twitter power users, was hit with an attack via a vulnerability that let someone else remotely hijack a user’s account and tweet the script above. Considering that many prolific tweeters are also TweetDeck users, it was difficult, if not impossible, for most users to avoid that malicious—if not terribly damaging—script today.

What Is XSS?

Blame what’s known as a cross-site scripting vulnerability, usually just called XSS. This is a common security hole in Web applications—a favorite among nefarious hackers and pranksters alike—through which a hacker can make the application run outside code (formally, a script). XSS allows attackers to make an end run around access controls such as passwords or security questions.

Historically, there have been two main types of XSS vulnerabilities. The first involves an attack in which the scripting code hits a Web server and then sends (ostensibly malicious) commands to unsuspecting users via the Web pages they’re viewing. This doesn’t seem to be the sort of attack that took Tweetdeck offline today.

Instead, TweetDeck likely experienced what is known as DOM-based (for Document Object Model) cross-site scripting. DOM is a cross-platform convention for representing and interacting with objects in HTML and other Web documents. DOM-based cross-site scripting doesn’t touch the server; instead, the attacker sends a malicious script directly to a user, where it runs inside a Web application in the user’s browser (technically, as part of an associated document model that was maliciously modified in the attack). In this case, the application in question was TweetDeck.

Given the way this sort of attack works, the script was limited to actions that TweetDeck itself could normally take. (In case you’re curious, that’s because all JavaScript—including the malicious code in this XSS attack—executes in a “sandbox” that limits its access to data and other functions on the computer.) So the script could have tweeted, retweeted, favorited, followed or unfollowed users. It would not, however, have gotten access to a computer’s hard drive or sensitive files stored locally.

Near as anyone can tell at the moment, the only thing this script did was to propagate itself by sending out further tweets—well, and to push message popups onto the screens of affected users. According to The Verge, a 19-year-old Austrian is claiming responsibility for the incident, saying he stumbled across the TweetDeck security vulnerability by accident and was merely experimenting with it. It’s not immediately clear who was responsible for a subsequent rash of retweets and popup messages.

Twitter: All Clear

The attacks mostly affected users who run TweetDeck in browsers such as Google Chrome. Those that use the desktop client apparently weren’t specifically afflicted. Twitter had said that it had fixed the issue before backtracking and taking down the service for everybody around as of about 1:00 p.m. EST while it investigated the security issue.

Twitter has fixed the vulnerability and TweetDeck is currently working for all users on both desktop and Web clients. 

About ReadWrite’s Editorial Process

The ReadWrite Editorial policy involves closely monitoring the tech industry for major developments, new product launches, AI breakthroughs, video game releases and other newsworthy events. Editors assign relevant stories to staff writers or freelance contributors with expertise in each particular topic area. Before publication, articles go through a rigorous round of editing for accuracy, clarity, and to ensure adherence to ReadWrite's style guidelines.

Get the biggest tech headlines of the day delivered to your inbox

    By signing up, you agree to our Terms and Privacy Policy. Unsubscribe anytime.

    Tech News

    Explore the latest in tech with our Tech News. We cut through the noise for concise, relevant updates, keeping you informed about the rapidly evolving tech landscape with curated content that separates signal from noise.

    In-Depth Tech Stories

    Explore tech impact in In-Depth Stories. Narrative data journalism offers comprehensive analyses, revealing stories behind data. Understand industry trends for a deeper perspective on tech's intricate relationships with society.

    Expert Reviews

    Empower decisions with Expert Reviews, merging industry expertise and insightful analysis. Delve into tech intricacies, get the best deals, and stay ahead with our trustworthy guide to navigating the ever-changing tech market.