If you’re a TweetDeck user, there’s a good chance that you saw a lot of people retweet something like this today:
You may also have gotten a dialogue box from TweetDeck in a browser that reminds you of being on the Internet in 2007.
TweetDeck, a client application for Twitter power users, was hit with an attack via a vulnerability that let someone else remotely hijack a user’s account and tweet the script above. Considering that many prolific tweeters are also TweetDeck users, it was difficult, if not impossible, for most users to avoid that malicious—if not terribly damaging—script today.
What Is XSS?
Blame what’s known as a cross-site scripting vulnerability, usually just called XSS. This is a common security hole in Web applications—a favorite among nefarious hackers and pranksters alike—through which a hacker can make the application run outside code (formally, a script). XSS allows attackers to make an end run around access controls such as passwords or security questions.
Historically, there have been two main types of XSS vulnerabilities. The first involves an attack in which the scripting code hits a Web server and then sends (ostensibly malicious) commands to unsuspecting users via the Web pages they’re viewing. This doesn’t seem to be the sort of attack that took Tweetdeck offline today.
Instead, TweetDeck likely experienced what is known as DOM-based (for Document Object Model) cross-site scripting. DOM is a cross-platform convention for representing and interacting with objects in HTML and other Web documents. DOM-based cross-site scripting doesn’t touch the server; instead, the attacker sends a malicious script directly to a user, where it runs inside a Web application in the user’s browser (technically, as part of an associated document model that was maliciously modified in the attack). In this case, the application in question was TweetDeck.
Given the way this sort of attack works, the script was limited to actions that TweetDeck itself could normally take. (In case you’re curious, that’s because all JavaScript—including the malicious code in this XSS attack—executes in a “sandbox” that limits its access to data and other functions on the computer.) So the script could have tweeted, retweeted, favorited, followed or unfollowed users. It would not, however, have gotten access to a computer’s hard drive or sensitive files stored locally.
Near as anyone can tell at the moment, the only thing this script did was to propagate itself by sending out further tweets—well, and to push message popups onto the screens of affected users. According to The Verge, a 19-year-old Austrian is claiming responsibility for the incident, saying he stumbled across the TweetDeck security vulnerability by accident and was merely experimenting with it. It’s not immediately clear who was responsible for a subsequent rash of retweets and popup messages.
Twitter: All Clear
The attacks mostly affected users who run TweetDeck in browsers such as Google Chrome. Those that use the desktop client apparently weren’t specifically afflicted. Twitter had said that it had fixed the issue before backtracking and taking down the service for everybody around as of about 1:00 p.m. EST while it investigated the security issue.
Twitter has fixed the vulnerability and TweetDeck is currently working for all users on both desktop and Web clients.