Twitter Users Urged To Kill Tweetdeck After Bug Alert

TweetDeck vulnerability could lead to mass account hijacking, security expert warns, but there are some protections in place for users

Twitter account holders were urged to not use the popular TweetDeck client this afternoon, after users were alerted to a potentially nasty bug in the platform that could lead to “mass account compromise”.

Popup alerts emerged in some users’ browsers earlier today, as the code that exploited the bug was retweeted across Twitter. As soon as users’ browsers read the code, an alert popped up highlighting the flaw and forcing JavaScript to run on their machines.

In the security world, that’s known as a cross-site scripting (XSS) bug and it can be nasty. Rather than just showing an alert, the vulnerability could be exploited to send session cookies, which confirm who the user is to TweetDeck and therefore allow the attacker access to their account.

tweetdeck-logoNasty Tweetdeck XSS

In theory, someone could take the initial XSS exploit code, which appears to have been tweeted by a user known as ‘freakyclown’, tweak it to steal people’s session cookies and cause a mass TweetDeck account takeover, warned security analyst Andreas Lindh.

“In a worst case scenario, the code could have grabbed each users session cookie, which is what is used by a browser to authenticate a user instead of having to enter your username and password every time, and then send the session cookie to a server under the attacker’s control,” Lindh said.

“This would mean that the user could login to TweetDeck as every user that was subject to the attack, without having to know the password or even the username.

“So in short, a TweetDeck account hijack. This could later be used to post links to sites serving up malware or just spread disinformation. Imagine the impact if a major news account was compromised.”

There is some good news for TweetDeck users, however. It was noted by security expert Frederic Jacobs that Twitter cookies contain a feature, called HTTPOnly, that should prevent them from being stolen by hackers.

The flaw could also be used for other types of attacks, such as pilfering files from the user’s browser or sending them to a malicious website that then downloads malware onto their PC.

It appears the versions of TweetDeck vulnerable to the XSS bug are the Chrome browser application and the Windows desktop app. The desktop client version for Mac OS X does not appear to be vulnerable at the present time.

The episode is highly embarrassing for Twitter, which owns TweetDeck after acquiring the British firm in 2011, since XSS flaws are rudimentary to address, Lindh said. “That vulnerability is like XSS 101.”

Twitter had not responded to a request for comment at the time of publication. It has been urged to fix the flaw and users have been advised to stop using TweetDeck.

Lindh said users should also go to settings on Twitter.com, head to the Apps section and revoke access to TweetDeck. That will protect them from danger.

The attack highlights the dangers of XSS, which is one of the most frequently seen vulnerabilities across the Internet today.

UPDATE: TweetDeck has now been temporarily closed as Twitter attempts to fix the flaw. There is also some indication Mac clients are also affected. The best advice is not to use TweetDeck until it’s been fixed.

What do you know about Internet security? Find out with our quiz!