Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup with “XSS on Tweet Deck.” This obviously set every hair on my neck on fire, it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow that had the following javascript code. It would be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute on the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, Revoking Access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

Via Sucuri.net

Tags:

No comments yet.

Leave a Reply