TweetDeck, the official lwa le client of Twitter for powerusers, contains an xss bug. Therefore, it is potentially possible for attackers to, for example, automatically tweets. The normal Twitter site is not affected.
The bug is arbitrary to use: tweets appear in TweetDeck as normal html to be parsed, thus adding a javascript to a tweet is sufficient to make the javascript code to execute. This allows an attacker, in theory, automatically tweet places by javascript code to someone to tweet. Could also followers can be removed.
A German twitterer has, as the proof-of-concept to a tweet made automatically from when a TweetDeck user him pass by; at the time of writing that message and 39,000 times from.
It is not clear which versions are vulnerable. In any case, the web-based version of TweetDeck is vulnerable; the OS X app is not. It is unclear if the Windows version is vulnerable. Beveiligingsonderzoeker Frederik Jacobs argues that, in this case it is not possible for cookies to steal, something that at some xss bugs. Nevertheless, advise security researchers to TweetDeck for the time being not to use.
In 2010, struggled on the Twitter website with a similar problem. In doing so, attackers are using a onMouseOver-event. A twitterer made a tweet that was automatically from the visit of twitter.com. Twitter took TweetDeck in 2011.
Update, 18:43: According to researcher Jacobs is the bug is now patched. Users will, however, need to re-log in and out and the browser cache, empty it to prevent the old, the vulnerable javascript code of TweetDeck still is loaded.
Comments
(35)