Tweetdeck Hack Exposes Javascript Vulnerability

Users got strange messages from their Tweetdeck clients, and a string of code was retweeted all over the Twittersphere.



Well it’s another day, and there’s been another hack. This time around it’s Tweetdeck, a third party Twitter app that was acquired by the company in May 2011. The attack was enabled by a very simple, and apparently easy to overlook, piece of code known as xss — cross-site scripting.

Yesterday, Tweetdeck users started getting strange messages from their Tweetdeck clients such as popup dialog boxes that said “yo!” and “Never gonna give you up, never gonna let you down.” These popups were accompanied by a string of code that would retweet itself from user accounts, as soon as it was viewed.

Browsers and Tweetdeck clients would automatically execute the code as it appeared. This string of code affected all users alike, even the BBC breaking news account, which has over 10 million followers.

The vulnerability allowed the creator to insert a self-replicating worm into Twitter. While there didn’t appear to be any malice behind this hack, it exposed a gaping vulnerability in Tweetdeck, and in sites that rely on Javascript, which is a lot of them.

Dan Goodin, security editor for Ars Technica points to the Samy Worm of 2005, which knocked out MySpace for the better part of three days. “The filter bypass in this [recent Twitter] case was a little tricky,” Jeremiah Grossman, CEO of WhiteHat Security, told Goodin. “Cross-site scripting is a cockroach. It’s all but impossible to exterminate completely. No matter how hard you try and how much you invest, you’re going to make mistakes.”

In other words, once a worm is out there — whether on Twitter or Myspace — it is incredibly hard to eliminate, because of its capacity to propagate. The danger comes when a hacker finds an area to introduce javascript code that could steal login details, or do something a lot worse than retweet. Tom Scott of outlines the problem in a video.

“The more sinister stuff you can do with javascript; quietly stealing passwords, and user information, and letting you log in as other people all of these things are entirely possible by letting unescaped javascript get into your webpage. All you need to do is mess up once, anywhere on your site, with any user input. If you forget to escape that, and someone types a little bit of code there instead, well congratulations your website is now completely vulnerable.”

@Tweetdeck claims to have fixed the problem after a couple of false starts, but the continued existence of any xss vulnerability could make the whole Web ripe for picking.