This Twitter user appears to have racked up almost 40,000 retweets by hijacking other accounts
Twitter Inc. claims it has repaired a security flaw inTweetdeck, the web-based social media management tool the company operates, after rogue code let hackers hijack other user accounts.
Twitter users who make use Tweetdeck were surprised to find their accounts compromised Wednesday morning, as strange pop-up windows and forced retweets caused alarm and anger.
The official @TweetDeck account made clear the situation was somewhat dire: "We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up."
Shortly before 2 p.m. ET Tweetdeck posted "We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience."
Some users expressed reluctance to believe the all-clear, after all earlier today Tweetdeck claimed everything had been resolved: "A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix." Many users quickly took to Twitter to point out it was still happening, forcing the reversal and takedown.
Most observers believed the faults were found solely in the version of Tweetdeck built for Google's Chrome web browser and not on Twitter.com or mobile apps. Other reports suggest the Windows app was also compromised, but Twitter has not yet confirmed how many users or services were exposed.
The exploit appears to have been caused by users posting a line of Javascript code in Tweetdeck, which browsers would read and activate.
"For security reasons, most browsers impose restrictions on Javascript code. An XSS (Cross-site scripting) exploit involves breaking or working around those restrictions, to run functions that shouldn't be permitted under the browser's security rules," says Kevin O'Gorman, a web developer and release manager here at The Globe and Mail. "Usually these exploits are the result of poor programming that allows users to inject JS code into a page, so that the browser thinks it's coming from a trusted source."
One prominent example was from a German user by the name *andy or @derGeruhn, who tweeted an XSS script that seemed to force many accounts running on Tweetdeck to retweet a heart-shaped emoticon. (Disclosure, my account retweeted Andy's little heart.)
Some of the early users aware of the flaw cheered on that kind of exploitative behaviour: "The coolest thing to do with the TweetDeck XSS is to make it retweet… make it trend … until it gets fixed."
Others users were "RickRolled" where a pop-up would read "Never going to give you up. Never going to let you down," while others received the pithy message "I love poop."
"In this case, [it appears] Tweetdeck is passing Javascript code in tweets verbatim into its web app," says Mr. O'Gorman. "From the browser's perspective, this code is coming from Tweetdeck's servers ... So it has access to anything in the Tweetdeck user's session, including login information."
Some of the early posters of the XSS scripts found their successful exploit brought unwanted attention. Shortly before noon ET user @Dani___Alves wrote "YAY I HACKED TWITTER! AHAHAH AHAHAH AHAHAH AHAHAH" and then "Dan 1 Twitter 0." Not long after that he wrote: "Can people stop tweeting me, cheers. Haha," and even later "This tweet was a joke by the way, it was not me who hacked twitter, sorry to disappoint. :(".
Update: CNN believes it found the source of the hack, an Austrian user named Florian who goes by the handle @firoxl (who claims on Twitter he stumbled on the bug while experimenting with the heart-shaped tags).
Shane Dingman