A cross-site scripting bug in Twitter's TweetDeck tool caused trouble for many users on Wednesday, and potentially opened up many other users to XSS attacks.
A researcher tweeted the vulnerability early Wednesday morning, setting off a wave of online conversation and eventually leading to downtime at TweetDeck, which is Twitter's tool for tracking online postings.
TweetDeck reported that it had fixed the vulnerability about four hours after it was reported, but subesequently took the service down to assess the damage. Service was restored less than six hours after the original vulnerability disclosure, but by that time, many users had unknowingly tweeted out code that could lead to future XSS attacks.
TweetDeck did not disclose the details of how many users were affected or the number of active exploits found to be using the vulnerability. However, it did offer a simple fix -- users need only log out of TweetDeck and log back in to close the issue. Unfortunately, many users did not see the instructions or did not follow them, leading to widespread infection.
"Tweetdeck appears to have jumped on this issue and patched it, but we’re still seeing it spread like wildfire through Twitter," said Trey Ford, global security strategist at security firm Rapid7, in a statement. "This vulnerability very specifically renders a tweet as code in the browser, allowing various XSS attacks to be run by simply viewing a tweet. The current attack we’re seeing is a 'worm' that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome.
"The guidance from Tweetdeck is simple and correct – log out, and log back in," Ford advised. "One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat. This worm hearkens back to the MySpace 'Samy Worm' in 2006, except for one key step -- this worm does not appear to have the ability to force your account to follow the attacker."
XSS, a vulnerability which has been around for more than a decade, still accounts for more than 30 percent of online attacks, says Barry Shtieman, director of security strategy at application security vendor Imperva. "XSS -- and Persistent XSS [pXSS] in particular -- can lead to breaches, identity and credentials compromise, and even malware infection through a derived drive-by [attack] on vulnerable websites."