Twitter’s TweetDeck Hacked as Teen Stumbles Upon Flaw and Hackers Run Wild

TweetDeck

TweetDeck was offline for more than an hour on Wednesday as Twitter worked to repair a security hole in the app that was first stumbled upon by a teenager who reported the flaw to Twitter, but now before hackers ran wild with the vulnerability in the software’s code.  Users were first alerted to a problem when they began receiving strange pop-ups.  Meanwhile, their TweetDeck app was busy re-tweeting tweets from over 40,000 users’ systems that contained potentially harmful computer code. The app was taken down after a tweet from TweetDeck notifying users that its service was halted while they assessed the security “issue” and that an update would be forthcoming when the app was again live. A Twitter spokesperson declined to respond to a request by USA Today for a comment.

The hole in the app’s code allows for hackers to take advantage of cross-site scripting (XSS), which allows Javascript to become text and hackers to insert computer code into a tweet that, once streamed into a user’s TweetDeck app and viewed, could perform actions on the user’s systems. The hack acted as a “worm” by self-replicating itself through random tweets from “andy” (@derGeruhn) to other accounts, causing it to “spread like wildfire,” even after the patch was applied, according to security expert Trey Ford of Boston-based security firm Rapid7.  Although initial reports were that only desktop computers running the Google Chrome browser were vulnerable, users on other systems were affected as well. According to Ford, signing out and then signing back in to the app usually takes care of the issue, since XSS hacks work by taking over a user’s session and logging in as that user. However, users this morning were reporting that this was not solving the issue. Attempting to un-retweet the original malicious tweet resulting only in an error message.

An Austrian teenager named Florian @firoxi  is reportedly responsible for today’s attack after a test tweet he sent exposed the security flaw, which was discovered in 2011 but left unrepaired. He told CNN that finding the vulnerability was a complete “accident” and stated that he did not intend to hack into the service. Although he notified Twitter of the vulnerability once it was discovered, hackers had already begun their attack. It is not known what type of information the hackers may have gathered through today’s attack, but it is being recommended that users change their passwords just in case.

The random tweets from “andy” appear to be sent from the account of a German college student and computer programmer named Andy Perdana, who tweeted today that the attack was a prank and that it was completely intentional. A student of computer science at the University of Applied Science in Karlesruhe, Germany, Perdana’s own Twitter account reveals that he is a fan of both My Little Pony and anime.

TweetDeck was the first third-party app to be widely used by Twitter’s users, who download the service in order to view and manage more than one Twitter account in real-time and is mainly used for journalism or marketing purposes. It was released in 2008 and was purchased by Twitter for approximately $40 million in 2011.

By Jennifer Pfalz

Sources:
USA Today
Buzzfeed
The Washington Post
Business Insider

Your Thoughts?