Vulnerabilities / Threats // Vulnerability Management
6/12/2014
12:00 AM
50%
50%

XSS Flaw In TweetDeck Leads To Spread Of Potential Exploits

Twitter unit fixes cross-site scripting problem, but not before many users spread vulnerable scripts with their tweets.

A cross-site scripting bug in Twitter's TweetDeck tool caused trouble for many users on Wednesday, and potentially opened up many other users to XSS attacks.

A researcher tweeted the vulnerability early Wednesday morning, setting off a wave of online conversation and eventually leading to downtime at TweetDeck, which is Twitter's tool for tracking online postings.

TweetDeck reported that it had fixed the vulnerability about four hours after it was reported, but subesequently took the service down to assess the damage. Service was restored less than six hours after the original vulnerability disclosure, but by that time, many users had unknowingly tweeted out code that could lead to future XSS attacks.

TweetDeck did not disclose the details of how many users were affected or the number of active exploits found to be using the vulnerability. However, it did offer a simple fix -- users need only log out of TweetDeck and log back in to close the issue. Unfortunately, many users did not see the instructions or did not follow them, leading to widespread infection.

"Tweetdeck appears to have jumped on this issue and patched it, but we’re still seeing it spread like wildfire through Twitter," said Trey Ford, global security strategist at security firm Rapid7, in a statement. "This vulnerability very specifically renders a tweet as code in the browser, allowing various XSS attacks to be run by simply viewing a tweet. The current attack we’re seeing is a 'worm' that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome.

"The guidance from Tweetdeck is simple and correct – log out, and log back in," Ford advised. "One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat. This worm hearkens back to the MySpace 'Samy Worm' in 2006, except for one key step -- this worm does not appear to have the ability to force your account to follow the attacker."

XSS, a vulnerability which has been around for more than a decade, still accounts for more than 30 percent of online attacks, says Barry Shtieman, director of security strategy at application security vendor Imperva. "XSS -- and Persistent XSS [pXSS] in particular -- can lead to breaches, identity and credentials compromise, and even malware infection through a derived drive-by [attack] on vulnerable websites."

 

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/12/2014 | 12:00:36 PM
Browser Alternatives - Safe?
Some mention has been made of trying alternatives to the usual suspects of the web browser world (hardened Lynx (text only), WhiteHat Aviator), but let's not forget that not all web traffice goes across a browser - many applications act like web browsers on the inside and are just as exploitable through methods like XSS.  This is especially true with desktops like GNOME where just about every app I use tugs on Mozilla APIs or similar.  As long as the key web elements are there XSS can still work on the client-side as if you were using a browser.  I
mention this only because users shouldn't think because they turn to other apps to access TweetDeck they are safe.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/12/2014 | 11:44:19 AM
Surprised
I was pretty surprised Tweetdeck got caught out by this to be honest. It's large enough and has been operating long enough that you'd think it would have some solid people in place to ward off problems like this.

That said, I did hear that it was to do with the heart symbol which hasn't been around long, so it was a relatively recent exploit it seems. 
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/12/2014 | 11:08:13 AM
Re: XSS Flaw in TweetDeck
Maybe the major retailers will learn from these incidents but you would think the Target would have been a wakeup call for all.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/12/2014 | 11:01:07 AM
Re: XSS Flaw in TweetDeck
Exactly correct Randy!  This is yet another example where putting secure coding first and foremost would prevent a major issue.
Randy Naramore
50%
50%
Randy Naramore,
User Rank: Ninja
6/12/2014 | 9:04:58 AM
XSS Flaw in TweetDeck
Another example of how secure coding can help all. The use of "white lists" in code can eliminate this exploit from occurring. White lists are used to only allow certain characters to be inputed into form fields and not allow characters that are normally part of XSS attacks. OWASP has information to help with this.

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#A_Positive_XSS_Prevention_Model

 
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.