TweetDeck, the popular application for managing Twitter feeds that is operated by Twitter itself, announced that it was temporarily disabling its service after a number of accounts were affected today by hackers who exploited a vulnerability in the service.
TweetDeck attributed the problem to a cross-site scripting vulnerability, which allows an attacker to execute malicious code on a victim’s system generally by injecting the code into legitimate web pages in order to infect browsers and applications that visit or interact with the page.
Cross-site scripting vulnerabilities are often used by criminal hackers to quietly distribute malware that steals banking credentials or other sensitive data.
In this case, however, the effect was limited in that the vulnerability appeared to only allow someone in a TweetDeck user’s Twitter timeline to send JavaScript in a tweet that would execute arbitrary pop-up messages on the user’s screen or distribute Tweets like a worm by causing their account to automatically re-Tweet messages.
Pop-up messages yelling “Yo!”, “HACKED” and the RickRoll classic “NEVER GOING TO GIVE YOU UP, NEVER GOING TO LET YOU DOWN” appeared on the screens of TweetDeck users to broadcast the breach. Other Twitter users had strange retweets sent from their accounts.
Those affected included @NYTimes and @BBCBreaking, whose accounts were among some 30,000 Twitter feeds that inadvertently retweeted a script, with a heart symbol at the end of it, that appeared to come from @derGeruhn.
Twitter fixed the issue this morning with a patch and warned TweetDeck users to log out of their accounts, then log back in to initiate the patch.
But after users continued to be affected by the problem–even after reporting that they had logged out and back in–TweetDeck temporarily disabled the service to investigate the matter.
It’s not the first time that Twitter has been hit by a cross-site scripting hack. In 2010, thousands of users were affected by a cross-site scripting hack after Twitter re-designed its site.
Update 12:30 PST An Austrian teen has claimed credit for uncovering the bug and for inadvertently causing others to exploit it. The 19-year-old, who would only identify himself to CNN as Florian and appears on Twitter as Firo XI, says he discovered the vulnerability when he tried to send a ♥ symbol in a Tweet and discovered that he could get accounts to share his message automatically. The teen says he notified Twitter about the vulnerability but before the company could patch it, other users had already discovered the issue through Florian’s tweet, which had by then gone viral, and begun to exploit it.
