And so the breaches continued: Twitter’s TweetDeck Hacked

TweetDeck, the popular social media dashboard application for management of Twitter accounts, had to be temporarily shut down today, after being found vulnerable to cross-site scripting (XSS).

The incident occurred reportedly as an accident when an Austrian teenager succeeded in using the ♥ symbol by creating an opening in TweetDeck’s software. After trying the same message a couple of times, he announced the discovery of the vulnerability in TweetDeck, via a tweet. By the time he informed Twitter about the vulnerability, the hacker’s community had already ensured a mass TweetDeck hijacking.

If you are wondering how a single tweet caused such massive disruption in the tweet world, let us take you through a little more detail. Cross-site scripting, commonly known as XSS, refers to a weakness in the design of a website which can then be used by an attacker to inject malicious code into a website or web application, causing it to sway from its determined function. In this case, the XSS in TweetDeck allowed JavaScript to become plain text where a computer code was inserted, which when viewed in a user’s TweetDeck, retweeted itself as a code.  The result was a worm which even though unable to force the user to follow the attacker, did cause considerable damage as it replicated with the simple act of viewing and did not restrict itself to infect, only when clicked upon.

Users were alerted when they started receiving strange pop-ups, meanwhile, their TweetDeck app was busy re-tweeting tweets from “andy” (@derGeruhn ) over 40,000 users’ systems. Efforts to un-retweet these messages, resulted in an error message and did not cause any effect on the original message.

Could this have been avoided?

Yes.

Could this have resulted in more damage?

The answer, unfortunately, is again, Yes.

As we have explained in a previous post, hackers frequently use XSS to execute scripts in the victim’s applications which can hijack user sessions, deface websites, or redirect the user to malicious sites. This attack for TweetDeck could have easily resulted in a major brand tarnishing episode. Quick action on their part helped, and also the fact that the initiator informed them of the vulnerability quickly. But this is not always the case. Loss of millions, even billions of dollars can be prevented by enterprises if a few steps are taken to protect a web application:-

1. Exercising caution when clicking on links that look suspicious ( Of course, in this case, viewing was enough to get the code into action )
2. An active vigil should be practiced by your security vendor while assessing the safety of your applications. Continuous vulnerability assessments of your applications help you in finding the vulnerabilities before the hacker does and fixing them. The flaw that was exploited in TweetDeck existed since 2011. Apparently, TweetDeck missed fixing this flaw. A scan done by  IndusGuard Web/Mobile could have easily saved them from all the bad press. Indusface Web Application Security helps in securing organizations’ web applications with automated and manual scanning to detect all vulnerabilities. Similarly, Indusface Mobile helps in securing your mobile applications from such malicious attacks and loss of sensitive data.
3. Add a Web Application Firewall (WAF) to your defense layers. Gartner mentioned in a recent report that any organization which owns a public website, makes internal Web Applications available to partners and clients, or has business-critical internal web applications, should consider investing in WAF. In the attack on TweetDeck, the tweet that started it all was added with a script that forced the simulation of the retweet button. A WAF could have blocked the keywords resulting in the formation of the malicious script and could have prevented the attack altogether.

Even though Twitter has announced that the security issue infecting TweetDeck has been fixed, the probability of the bug providing hackers access to your login credentials is quite high. Therefore it’s a good idea to change your password for TweetDeck and any other accounts where you were repeating the same password.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.