Experimentation is the lifeblood of science. From Thomas Edison to Nikola Tesla, from Henry Ford to whoever thought it'd be a good idea to combine chocolate and peanut butter, some of the most amazing discoveries have come about as the result of trying to do something with something else. This potential for experimentation to reveal things about our universe can have good or ill effects, and sometimes, even both at the same time. Just ask a computer science student named Florian who found out that TweetDeck has some serious problems with HTML tags.
Florian, who on Twitter (News - Alert) reportedly goes by the handle @Firoxl, was out to add a little heart to tweets sent through TweetDeck. Sounds like a comparatively small thing to do, but this is actually somewhat similar to how much more malicious hackers try to break into other users' systems using scripts of more sinister inclination. In the process, Florian discovered that TweetDeck had a major vulnerability in its cross site scripting (XSS) systems, one that Florian promptly reported to the Twitter team. Rapid7's Trey Ford offered up a bit of commentary to explain the issue in question, saying “This vulnerability very specifically renders a tweet as a code in the browser, allowing various cross site scripting attacks to be run simply by viewing a tweet. The current attack we’re seeing is a worm that self-replicates by creating malicious tweets.”
TweetDeck, meanwhile, reports that the issue can be addressed comparatively simply: just log out of TweetDeck and log back in again whenever using it, particularly for those who use the TweetDeck plugin for Google (News - Alert) Chrome. While this may prove a bit inconvenient, it will also ultimately prove the safest approach for those who use the service.
It's certainly a surprise to more than a few that software as simple as TweetDeck could have vulnerabilities on this scale found therein. Admittedly, there's no evidence as yet that the flaw has done any serious damage—some reports suggest that the worst thing found was a bit of “obnoxious” behavior on Twitter, and further points note that the damage could really only be limited to what TweetDeck could do in the first place, so local files, Gmail accounts and the like were likely never really at risk—and protecting against this particular flaw is almost too simple: as stated previously, just log out and log back in, then log out after finishing use. This is actually fairly good practice just about anywhere, really, so exercising this particular bit of caution should serve well on a variety of other sites and services as well. An issue like this could have some substantial ramifications down the line, though; TweetDeck is often used as a scheduling mechanism to keep tweets moving out regularly, so it's the kind of thing that's really helping to fuel some social media ventures. The importance of social media in general is widely known, so for those who count on such things, this may be a bigger blow than it would be to those who don't use it as a marketing device.
Still, it's a bit galling to be inconvenienced because of someone else's structural failings, and hopefully TweetDeck can find a way to protect itself against this particular vulnerability; some reports suggest that the TweetDeck vulnerability has already been fixed. But the end result here is that, as is so often the case, the best protection against online issues starts with the user him- or herself.
Edited by Maurice Nagle
View all articles