UPDATE: Twitter has provided a fix for the XSS vulnerability in its TweetDeck application referenced in this article.
Twitter has suspended services on its own Twitter application, TweetDeck, after a serious cross site scripting vulnerability emerged and was exploited by attackers on a grand scale.
According to Mike Mimoso of Threatpost, cross-site scripting occurs when attackers are able to inject code into webpages or web-based services that can automatically be executed by a user’s browser. Hackers successfully executing a cross-site scripting attack can remotely inject code, leading to data loss or service interruption.
Serious vulnerability in TweetDeck. Users should revoke access ASAPTweet
Specifically in the case of TweetDeck, an attacker could take over a user’s account, post or delete tweets or deface the account. Exploit code was tweeted throughout the morning, and automatically retweeted tens of thousands of times.
“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet,” Trey Ford, global security strategist at Rapid7 told Threatpost. “The current attack we’re seeing is a ‘worm’ that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome.”
We recommend logging into your Twitter account if you use TweetDeck and revoking access to immediately.
Below is a video demonstrating exactly how to do that, except you’ll need to pretend that the iOS 5 app is TweetDeck, because the account on which the video was produced does not have TweetDeck installed.