TweetDeck temporarily brought down by XSS hack
Popular Twitter organization app TweetDeck was taken offline Wednesday after a hack left users dealing with some confusing messages.
TweetDeck users reported a bug that was retweeting code from fake users. That code then spread the retweeting bug to other users. Other TweetDeck users found strange pop-ups containing messages such as 鈥淵o!鈥 and 鈥淧lease close now TweetDeck鈥 it is not safe." Major Twitter accounts were affected by the hack, such as BBC Breaking News. One retweet managed to spread 38,000 times in two minutes.
"TweetDeck appears to have jumped on this issue and patched it, but we're still seeing it spread like wildfire through Twitter," says Trey Ford, a security expert at Rapid7,
"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a "worm" that self-replicates by creating malicious tweets," he adds.
Initially, TweetDeck thought it had patched the security flaw this morning, and asked users to log out and back in to activate the fix. However, as the pop up messages and retweets continued, TweetDeck eventually shut down.
"We've temporarily taken TweetDeck services down to assess today's earlier security issue,鈥 the company tweeted. 鈥淲e'll update when services are back up."
As of 2:00 pm Eastern, the application was still down, but it seemed to be back up shortly afterward.
TweetDeck is a third-party Twitter platform most frequently used by media organizations and social media professionals. The application allows users to monitor Twitter and post from several different accounts at a time.
TweetDeck was founded in 2008 and was one of the first third-party applications on Twitter to find widespread popularity. Twitter bought TweetDeck, originally a British company, in 2011 for $40 million. Twitter has not yet commented on the hack.
