Well it’s another day, and there’s been another hack. This time around it’s Tweetdeck, a third party Twitter app that was acquired by the company in May 2011. The attack was enabled by a very simple, and apparently easy to overlook, piece of code known as xss — cross-site scripting.
Yesterday, Tweetdeck users started getting strange messages from their Tweetdeck clients such as popup dialog boxes that said “yo!” and “Never gonna give you up, never gonna let you down.” These popups were accompanied by a string of code that would retweet itself from user accounts, as soon as it was viewed.
Browsers and Tweetdeck clients would automatically execute the code as it appeared. This string of code affected all users alike, even the BBC breaking news account, which has over 10 million followers.
Dan Goodin, security editor for Ars Technica points to the Samy Worm of 2005, which knocked out MySpace for the better part of three days. “The filter bypass in this [recent Twitter] case was a little tricky,” Jeremiah Grossman, CEO of WhiteHat Security, told Goodin. “Cross-site scripting is a cockroach. It’s all but impossible to exterminate completely. No matter how hard you try and how much you invest, you’re going to make mistakes.”
@Tweetdeck claims to have fixed the problem after a couple of false starts, but the continued existence of any xss vulnerability could make the whole Web ripe for picking.