TweetDeck got hacked or not? Austrian teen just wanted to send out pink hearts

Did Twitter just got attacked by little pink heart monsters? Not really, but Twitter did pull down its TweetDeck application after a minor bug that led to major annoyance for some users Wednesday.

Nineteen-year-old Austrian computer student Florian, who goes by the name @Firoxl on Twitter, was experimenting with HTML on the TweetDeck platform because he wanted to send out a tweet with a heart symbol at the end. Florian discovered that typing "&hearts" creates the heart symbol and opens up TweetDeck's software to a vulnerability that allows hackers to use tweets as codes that can be injected into the computer and execute remote commands.

"It wasn't a hack. It was some sort of accident," Florian said in an interview.

He also said he immediately contacted Twitter to inform the company of his discovery before telling the rest of the world in his tweet "Vulnerability discovered in TweetDeck o /"

Before Twitter could issue a patch, however, enterprising souls in the hacker community took to Twitter for a mass attack. Thankfully, no real damage was done, with mischief-makers doing nothing more than exploit the cross-site scripting (XSS) vulnerability to send annoying messages with a long string of code with a heart at the end and pop-ups with silly messages such as "LOL I SHOULD RULE THE WORLD" and cause them to be re-tweeted thousands of times over.

A long bit of indecipherable code ending in a pink heart tweeted by a user named @derGeruhn was shared almost 40,000 times, and people had to manually un-retweet the message to undo whatever damage was done.

Global strategist Trey Ford at security firm Rapid7 explains how the vulnerability works.

"This vulnerability very specifically renders a tweet as a code in the browser, allowing various cross site scripting attacks to be run simply by viewing a tweet," he says. "The current attack we're seeing is a worm that self-replicates by creating malicious tweets."

But while some news outlets have called the TweetDeck brouhaha "silly" and "harmless," at least one programmer believes this could lead to far more serious implications if TweetDeck does not step up its security game. Chris Williams of Dio Design in U.K. says attackers can "run JavaScript in the context of another user" because TweetDeck "is not stripping out dangerous code from tweets."

"At the moment, people are just opening alert boxes. Next, there'll be tweets trying to steal login tokens, etc.," he says.

Ford says Twitter, which shut down TweetDeck for a good hour Wednesday morning, has already found a security patch for the vulnerability, and users can get rid of the pesky pop-ups and codes simply by logging out of TweetDeck and logging in. Some users, however, have reported that the log-out, log-in solution did not work for them. Others have said that un-retweeting a malicious tweet led to an error message that says: "XSS in TweetDeck."

The issue only affects users with the TweetDeck add-on for Chrome browser, but those using TweetDeck's desktop apps for Mac and PC are also encouraged to comply with security measures.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Tags:Tweetdeck
Join the Discussion
Real Time Analytics