Thursday01 December 2022

Twitter's Tweetdeck Hacked Right After Getting Award for Security...

Reading time is around minutes.

Twitter has a keen sense of the word irony now. Almost immediately after grabbing the highest score by the Online Trust Alliance for security and privacy they managed to get hit with a very bad XSS (Cross Site Scripting) bug that impacted their TweetDeck side of the house. To make matters worse the XSS flaw was not some 0-day exploit that hackers used, it was a fairly old one that allowed the hackers to fill the feeds of TweetDeck users with malicious scripts.

When Twitter received the honor from the Online Trust Alliance they were quick to point out their many features that are designed to make Twitter a safe place to play.

“Twitter is honored to again receive the top overall award for the highest score on the OTA Honor Roll, It has become increasingly clear over the past year that companies need to be even more vigilant in applying security and encryption technologies like always-on-SSL, forward secrecy, and DMARC in order to protect their users, and we're glad to partner with organizations like the OTA to raise the security and privacy bar.”

So we have to wonder how a flaw that was communicated to them was able to be exploited so fast before they could stop it. Additionally XSS attacks are nothing new, they are an old and sadly common method for breaking into and compromising web applications. There are methods that can (and should) be employed to protect against XSS attacks. The fact that someone was able to find one in TweetDeck while looking for a way to use an emoticon brings Twitter’s security honors into question, and we have to wonder if the OTA’s stamp of approval really means that much.

Either way Twitter did end up pulling Tweetdeck offline in order to stop the retweets and fix the issue. Once they felt they had everything under control, well they Tweeted that it was safe to come out and play once more. This... well incident just goes to show you that even the most secure sites are still vulnerable.

Tell us your thoughts

Last modified on Thursday, 12 June 2014 06:25

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.