Vulnerabilities / Threats // Vulnerability Management
6/12/2014
00:00 AM
Tim Wilson
Tim Wilson
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%

XSS Flaw In TweetDeck Leads To Spread Of Potential Exploits

Twitter unit fixes cross-site scripting problem, but not before many users spread vulnerable scripts with their tweets.

A cross-site scripting bug in Twitter's TweetDeck tool caused trouble for many users on Wednesday, and potentially opened up many other users to XSS attacks.

A researcher tweeted the vulnerability early Wednesday morning, setting off a wave of online conversation and eventually leading to downtime at TweetDeck, which is Twitter's tool for tracking online postings.

TweetDeck reported that it had fixed the vulnerability about four hours after it was reported, but subesequently took the service down to assess the damage. Service was restored less than six hours after the original vulnerability disclosure, but by that time, many users had unknowingly tweeted out code that could lead to future XSS attacks.

TweetDeck did not disclose the details of how many users were affected or the number of active exploits found to be using the vulnerability. However, it did offer a simple fix -- users need only log out of TweetDeck and log back in to close the issue. Unfortunately, many users did not see the instructions or did not follow them, leading to widespread infection.

"Tweetdeck appears to have jumped on this issue and patched it, but we’re still seeing it spread like wildfire through Twitter," said Trey Ford, global security strategist at security firm Rapid7, in a statement. "This vulnerability very specifically renders a tweet as code in the browser, allowing various XSS attacks to be run by simply viewing a tweet. The current attack we’re seeing is a 'worm' that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome.

"The guidance from Tweetdeck is simple and correct – log out, and log back in," Ford advised. "One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat. This worm hearkens back to the MySpace 'Samy Worm' in 2006, except for one key step -- this worm does not appear to have the ability to force your account to follow the attacker."

XSS, a vulnerability which has been around for more than a decade, still accounts for more than 30 percent of online attacks, says Barry Shtieman, director of security strategy at application security vendor Imperva. "XSS -- and Persistent XSS [pXSS] in particular -- can lead to breaches, identity and credentials compromise, and even malware infection through a derived drive-by [attack] on vulnerable websites."

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/12/2014 | 12:00:36 PM
Browser Alternatives - Safe?
Some mention has been made of trying alternatives to the usual suspects of the web browser world (hardened Lynx (text only), WhiteHat Aviator), but let's not forget that not all web traffice goes across a browser - many applications act like web browsers on the inside and are just as exploitable through methods like XSS.  This is especially true with desktops like GNOME where just about every app I use tugs on Mozilla APIs or similar.  As long as the key web elements are there XSS can still work on the client-side as if you were using a browser.  I
mention this only because users shouldn't think because they turn to other apps to access TweetDeck they are safe.
Whoopty
50%
50%
Whoopty,
User Rank: Moderator
6/12/2014 | 11:44:19 AM
Surprised
I was pretty surprised Tweetdeck got caught out by this to be honest. It's large enough and has been operating long enough that you'd think it would have some solid people in place to ward off problems like this.

That said, I did hear that it was to do with the heart symbol which hasn't been around long, so it was a relatively recent exploit it seems. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/12/2014 | 11:08:13 AM
Re: XSS Flaw in TweetDeck
Maybe the major retailers will learn from these incidents but you would think the Target would have been a wakeup call for all.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 11:01:07 AM
Re: XSS Flaw in TweetDeck
Exactly correct Randy!  This is yet another example where putting secure coding first and foremost would prevent a major issue.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/12/2014 | 9:04:58 AM
XSS Flaw in TweetDeck
Another example of how secure coding can help all. The use of "white lists" in code can eliminate this exploit from occurring. White lists are used to only allow certain characters to be inputed into form fields and not allow characters that are normally part of XSS attacks. OWASP has information to help with this.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#A_Positive_XSS_Prevention_Model

 
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio