TweetDeck temporarily brought down by XSS hack
TweetDeck, a popular organization application for Twitter users, was taken offline Wednesday after hackers hit the service with rapid retweets and strange error messages.
Popular Twitter organization app TweetDeck was taken offline Wednesday after a hack left users dealing with some confusing messages.
TweetDeck users reported a bug that was retweeting code from fake users. That code then spread the retweeting bug to other users. Other TweetDeck users found strange pop-ups containing messages such as “Yo!” and “Please close now TweetDeck… it is not safe." Major Twitter accounts were affected by the hack, such as BBC Breaking News. One retweet managed to spread 38,000 times in two minutes.
"TweetDeck appears to have jumped on this issue and patched it, but we're still seeing it spread like wildfire through Twitter," says Trey Ford, a security expert at Rapid7, to USA Today.
"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a "worm" that self-replicates by creating malicious tweets," he adds.
Initially, TweetDeck thought it had patched the security flaw this morning, and asked users to log out and back in to activate the fix. However, as the pop up messages and retweets continued, TweetDeck eventually shut down.
"We've temporarily taken TweetDeck services down to assess today's earlier security issue,” the company tweeted. “We'll update when services are back up."
As of 2:00 pm Eastern, the application was still down, but it seemed to be back up shortly afterward.
TweetDeck is a third-party Twitter platform most frequently used by media organizations and social media professionals. The application allows users to monitor Twitter and post from several different accounts at a time.
TweetDeck was founded in 2008 and was one of the first third-party applications on Twitter to find widespread popularity. Twitter bought TweetDeck, originally a British company, in 2011 for $40 million. Twitter has not yet commented on the hack.