Twitter jumps to block XSS worm in Tweetdeck

Filed Under: Featured, Security threats, Twitter, Vulnerability

TweetDeckLogo-170The Twitters were a twitting this morning over a newly discovered cross-site scripting (XSS) flaw in the popular Tweetdeck software owned by Twitter itself.

What is cross-site scripting? Often abbreviated XSS it is a flaw in a web site that allows for the injection of client-side script code by unauthorized users.

In this example it meant that Twitter users could inject script code into a tweet that would take advantage of the Tweetdeck bug and execute code inside the browser of Tweetdeck users.

After the discovery of this bug, most tweets were harmlessly popping up alert messages in Tweetdeck users' browsers as our former colleague Graham Cluley showed in his blog this morning.

Taking a quick look at Twitter shows lots of attempts to exploit this flaw still flying around, although Twitter has now patched the flaw.

TweetDeckXSS-500

People have suggested this was not malicious, but I disagree. Creating a network worm even if only being used to spread a warning message is still malicious activity no matter how you cut it.

In fact most antivirus companies use definitions similar to the much derided Computer Fraud and Abuse Act (CFAA) in the United States.

The CFAA states that it is a crime to acquire unauthorized access or to exceed authorized access to a network or computer.

An extremely open definition, but one that should be easy enough for people to understand. No permission, don't access it.

Antivirus firms largely consider something malicious if it uses resources on a computer without the owners permission or for purposes other than which the user agreed to allow it access.

It has been awhile since we have seen a Twitter related worm and hopefully it will be a long while until we do again.

TwitterSafe500

Twitter says they have put this bug to bed. It is now safe to tweet about the cabin.


, , , ,

You might like

One Response to Twitter jumps to block XSS worm in Tweetdeck

  1. Sammie · 97 days ago

    Guess this early bird doesn't like the worms.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.