XSS vulnerability in TweetDeck gets a fix
And when the vulnerability came to light yesterday, it was certainly used, with many thousands of users being treated to comedy pop-up messages, and forced retweets of the bug. Indeed, there were some 83,000 retweets of the script according to ZDNet, which hit some pretty major Twitter accounts like the New York Times and BBC Breaking News. At first it was thought that the vulnerability was just in the TweetDeck Chrome plugin, but then reports came in of other users being affected in terms of IE, Firefox, and the Windows app.
Apparently, the hacker who discovered the flaw told CNN that he informed Twitter about it immediately, but he also tweeted about his playing around with the bug, which was seen by others and the news quickly spread like wildfire, leading to the many exploits occurring before Twitter could yank the service down.
Yesterday, on the TweetDeck account, Twitter initially informed users: "A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix."
However, it seems the fix didn't work – or folks didn't follow that advice – and the exploit continued to spread, which led to Twitter taking the service down for a while: "We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up."
An hour later, the social network tweeted: "We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience."
And this time, the flaw was patched up. While it was certainly an embarrassing and large-scale incident, by all accounts it doesn't seem like any real damage was done, and the exploits leveraged were apparently mostly harmless japes.