A security flaw in TweetDeck was exposed last Wednesday, causing the service to turn itself on and off over the course of a few hours. While the app was scrambling to restore service to users, hackers were having a field day, doing their best imitation of a 10-year old boy, plastering messages like “penis penis penis,” and “I love poop,” in alert boxes that took over the software.
The messages ranged from the comically inane…
— • (@Negiert) June 11, 2014
Tweetdeck XSS pic.twitter.com/tgT9w0bZ1q
— Andreas Lindh (@addelindh) June 11, 2014
Good to know, Tweetdeck. Thanks! pic.twitter.com/YJ0qQox5Ar
— Agustina Prigoshin (@AgustinaP) June 11, 2014
To prompts that are just plain weird.
Tweetdeck is not fixed. pic.twitter.com/Zt0N5GkUFl
— Tyler Wilde (@tyler_wilde) June 11, 2014
Just like everything else in life, the disruption was also improved by some rickrollling.
hackers from 2007 are currently rickrolling ppl on TweetDeck tho pic.twitter.com/HfO03OiLjy
— Anthony B. L. Smith (@AnthonyBLSmith) June 11, 2014
According to CNNMoney, the security hole was discovered by an Austrian teenager named Florian. The vulnerability, which took advantage of TweetDeck’s cross-site scripting (XSS) capability, was exposed through the use of a heart symbol that contained a string of code. Florian said that he discovered that using “&hearts” to create a heart symbol opened a security flaw in the app that allowed people to send computer program commands through tweets.
He notified Twitter of the flaw, but pranksters were quick to take advantage of the vulnerability. One hacker even managed to create a code that caused users to auto-retweet his messages. The Twitter accounts of the New York Times and SFGate were affected by the disruption. The code for the re-tweet hack can be found below. So far, it’s been retweeted 79,000 times.
<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>♥
— *andy (@derGeruhn) June 11, 2014
TweetDeck announced that the security hole was patched early on Thursday. However, some users were still reporting issues.
— Chris Pirillo (@ChrisPirillo) June 11, 2014
In a blog post, anti-virus software maker McAfee offered recommendations for dealing with the disruption. The company rattled off the usual laundry list of security measures, asking users to sign out of TweetDeck, change passwords regularly (14 characters is ideal) and to avoid third-party apps.