Twitter desktop application Tweetdeck had a major cross-site scripting (XSS) bug last night.
While owner Twitter fixed the bug, users were encouraged not to use the application and change passwords as the application spouted random text in place of regular tweets. According to reports, systems were randomly retweeting messages containing potentially malicious scripts.
Mashable reported that a 19-year old Austrian named Firo Xi found the flaw, but denied that it was a deliberate hacking effort. He reported the flaw to Twitter who have declined to comment.
Asked how such a well-deployed application could be affected by such a standard flaw, Tom Cross, director of security research at Lancope, said: “XSS vulnerabilities are fairly common web application bugs that have been well understood by security professionals for a very long time. Any organisation that runs a website should be testing their code for these vulnerabilities before they go into production.
“In this case, the consequence of the attack is mostly the ability to create annoying pop-ups that spread virally between users, but in other contexts XSS vulnerabilities can have more serious implications, which is why its important to check for them.”
Michael Sutton, VP of security research, Zscaler, said: ”While developers have become more aware of XSS and programing environments and browsers have introduced automated protection mechanisms, XSS remains the most common vulnerability seen in web apps.
“It remains a common flaw even on popular internet properties as it can be challenging to properly validate all user supplied input, especially when trying to be flexible and allow users to post rich media content.”
Trey Ford, global security strategist at Rapid7, commented that this “attack” was a worm that self-replicates by creating malicious tweets.
“The guidance from Tweetdeck is simple and correct – log out, and log back in. One of the most common and useful XSS attacks is used to steal the user’s session, effectively enabling an attacker to log in as you,” he said.
Asked how websites can protect themselves, Sean Power, security operations manager at DOSarrest, said: “Websites like Tweetdeck can limit the chances of getting malicious code website by routinely auditing the website for unintended inclusions. But with XSS, especially non-persistent XSS, the best thing is to validate all data coming in and make sure what is coming in is sanitised, or checked for malicious code.
“This is especially true for parts of your website that get regular source code updates. It is not enough to just assume that because it was clean before, new updates will also be also be clear.”
