Twitter shuts down Tweetdeck after XSS flaw leaves users vulnerable to account hijack

Closed

A "cross-site scripting" (XSS) vulnerability has been discovered on Twitter's Tweetdeck client, leaving millions of users open to account hijacking and more.

Twitter has shut down Tweetdeck while it fixes the problem, despite earlier promising that it had been fixed.

The normal Twitter web interface, and other apps such as Echofon which use Twitter's API, do not seem to be affected. Tweetdeck is aimed at professionals and provides a web- or app-based interface to Twitter with the ability to show multiple views of different searches and users.

The flaw leads to vulnerable versions of Tweetdeck (3.7.1-19002e5) running javascript code contained in tweets from other sites. Most attacks using the vulnerability are no more than irritations, opening warning dialogues on users' computers - though one version created a retweet of itself, and spread 38,000 times in two minutes, and another changed the font on Tweetdeck itself to Comic Sans.

The original advice offered by the official Tweetdeck account claimed that the flaw had been fixed, and that users should log out and back in to their accounts to get the update.

But others found that the flaw persisted, despite following the official advice.

"Logged out of Tweetdeck, logged back in, and got this," tweeted journalist Matt Rosoff, posting a picture of a harmless XSS exploit. "So clearly Twitter's 'fix' does not work!"

Tweetdeck then acknowledged that the fault had not been fixed:

"We've temporarily taken TweetDeck services down to assess today's earlier security issue," it tweeted. "We'll update when services are back up."

Theoretically, such flaws can be used to take over accounts, post tweets, unfollow and follow people, and more.

Twitter itself suffered a similar vulnerability in September 2010 that proved embarrassing after it was discovered by an Australian teenager.

Tweetdeck was originally a British company, and was acquired by Twitter for about £25m ($40m) in May 2011.

Twitter had not responded to a request for comment by the time of publication.

Powered by Guardian.co.ukThis article was written by Alex Hern, for theguardian.com on Wednesday 11th June 2014 17.41 Europe/London

guardian.co.uk © Guardian News and Media Limited 2010