Flaw leads to massive retweeting and irritating pop-ups

Jun 11, 2014 18:08 GMT  ·  By

TweetDeck, Twitter’s tool for managing the influx and sending of 140-character messages, has been hit by an XSS (cross-site scripting) attack that caused warning dialogs to pop up and prevented the usage of the client.

Cross-site scripting is a type of injection with malicious content that can be carried out on a web application that uses input from an attacker without validating the code.

But in some cases, the problem was more serious than this, as messages (some of them obscene) from unknown handles were retweeted over and over again. One message, originating from the handle ‏”@derGeruhn” was re-tweeted automatically more than 35,000 times.

Even if the message contained only a piece of code, spreading it this much in such a short period of time was still pretty annoying:

The issue seems to have affected TweetDeck alone, as the web interface for the service and other apps using Twitter’s API did not behave abnormally.

Initially, TweetDeck’s channel announced a fix that consisted in simply logging out of the app and then logging back in.

However, many users reported that the issue persisted, and 28 minutes later, a second message was posted on TweetDeck’s channel. This one informed that TweetDeck was taken down for a temporary period of time so that the security issue would be investigated. A short while ago, TweetDeck services have been restored and everything should be working fine. Feedly and Evernote services have also been taken offline today because of distributed denial-of service (DDoS) attacks. In the case of the latter, everything is up and running, but at the time of writing, Feedly continues to be inoperable.