TweetDeck users urged to restart app to avoid XSS attack
Twitter dashboard TweetDeck has plugged security hole that caused some issues yesterday
TweetDeck was forced offline after a security hole was discovered that could open up users' browsers to cross site scripting (XSS) attacks.
The vulnerability affected several high profile accounts including Labour leader Ed Miliband.
We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014
The vulnerability seemed to only affect TweetDeck's browser plug-in for Google Chrome. The XSS vulnerability has been reported on both Windows and Mac versions of the TweetDeck app for Chrome.
Initially, users were warned to log out and log back into TweetDeck to prevent users from being hacked. It then took the service down to assess the security issue.
“We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience," it said in a tweet.
Trey Ford, global security strategist at IT security firm Rapid7, said that while TweetDeck appeared to have jumped on this issue and patched it, the bug was still spreading “like wildfire through Twitter."
"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a "worm" that self-replicates by creating malicious tweets," he said.
George Anderson, director of product marketing at Webroot, said that hackers could have used the flaw to send sensitive information back to them.
"A potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers,” he said.
Mikko Hypponen, the chief research officer at F-Secure, discovered a similar flaw in Tweetdeck back in 2011.