Twitter's popular account management service TweetDeck got nailed when a hacker discovered and announced a cross-site scripting (XSS) vulnerability, one which replicated itself and became a comedy of errors — and misreporting.
Twitter temporarily disabled TweetDeck, which it owns, until the issue was fixed, but much ridiculousness had already been unleashed by one Twitter user, an Austrian teenager calling himself "Firo," who told CNN on Wednesday he was just trying to tweet out a pink "heart" icon.
TweetDeck wasn't hacked. It was already broken
The important thing to understand is that Firo didn't "hack" TweetDeck. The bug has always been in TweetDeck, and he was simply the first to publicly point it out.
Some news outlets reported that TweetDeck was hacked, while others have reported that there was a TweetDeck worm — a standalone malware program.
But TweetDeck was already broken, and it had been all along. It's highly likely that this vulnerability has been exploited quietly by others until now.
if you're using tweetdeck STOP. RT @sisiwei: Let's just say I can get your computer to do anything I can script in < 126 characters or so.— dan sinker (@dansinker) June 11, 2014
While today's antics were harmless — though, embarrassing for some and inconvenient for others — other uses of this vulnerability until today were probably no so light-hearted.
Let the "lulz" begin
The opportunity for "lulz" was simply irresistible in security communities.
Tweetdeck announced a new "interactive tweet" feature today that opens up a new world of possibilities for what you can do with a tweet.— Fake Infosec News (@FakeInfosecNews) June 11, 2014
The hacker who started this mess told CNN that he notified Twitter immediately.
However, by tweeting his experiment with the XSS bug live, along with a note saying, ("Vulnerability discovered in TweetDeck. \ o /"), he had also essentially notified anyone who also saw his tweets.
Others used the bug to begin pranking Twitter users. Messages in the pop-up dialogue box included a reference to the RickRoll meme, saying "NEVER GOING TO GIVE YOU UP, NEVER GOING TO LET YOU DOWN" while others got "HACKED," or the classic body part reference seen below.
Tweetdeck is not fixed. pic.twitter.com/Zt0N5GkUFl— Tyler Wilde (@tyler_wilde) June 11, 2014
Some used it as an opportunity to warn TweetDeck users:
Many a truth was said in jest, some explained:
@addelindh vulnerability awareness through penis jokes - a well known educational concept.— Guillaume (@gepeto42) June 11, 2014
Some sarcastically chided powerful Twitter accounts for running their accounts on autopilot — which in this instance, turns out to be an irresponsible practice:
Rapid7's global strategist Trey Ford provided greater detail to Business Insider into the TweetDeck bug:
"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet.
The current attack we’re seeing is a 'worm that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."
Twitter has resolved the issue and issued a patch, requesting that TweetDeck users log out and back in again to activate the fix.
Curious minds can investigate the diff below:
I extracted a diff from TweetDeck's XSS fix and found this. TL;DR emoji == evil, replace them w/ identity function pic.twitter.com/OAr5F4f0JU— Yan (@bcrypt) June 11, 2014