{"id":104083,"date":"2014-06-11T19:34:31","date_gmt":"2014-06-11T17:34:31","guid":{"rendered":"http:\/\/mybroadband.co.za\/news\/?p=104083"},"modified":"2014-06-11T20:10:14","modified_gmt":"2014-06-11T18:10:14","slug":"tweetdeck-offline-after-twitter-xss-attack","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/104083-tweetdeck-offline-after-twitter-xss-attack.html","title":{"rendered":"Tweetdeck offline after Twitter XSS attack"},"content":{"rendered":"<p>Tweetdeck announced (<a href=\"https:\/\/twitter.com\/TweetDeck\/status\/476770732987252736\" target=\"_blank\">on Twitter<\/a>, naturally), that it has temporarily taken its services down \u201cto assess today\u2019s earlier security issue.\u201d<\/p>\n<p>The security issue in question is a cross-site scripting (or XSS) attack that let the creative hacker take control of someone\u2019s Tweetdeck remotely.<\/p>\n<p>Creative, because they would have to fit whatever embarrassing and\/or security compromising command they wanted you to execute into 140 characters or less.<\/p>\n<p>Initially, Tweetdeck <a href=\"https:\/\/twitter.com\/TweetDeck\/status\/476763638695743489\" target=\"_blank\">told<\/a> users that the security issue had been fixed \u201cthis morning\u201d (Pacific time, presumably) and that they should log out and log back in.<\/p>\n<p>However, a number of users on the various platforms supported by Tweetdeck reported still being vulnerable to the attacks, even after turning it off and back on again.<\/p>\n<p>Among the attacks circulating on the social network was a script that would retweet itself and post a heart:<\/p>\n<div id=\"attachment_104091\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/06\/Tweetdeck-XSS-attack-retweeting-a-heart.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-104091\" class=\"size-full wp-image-104091\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/06\/Tweetdeck-XSS-attack-retweeting-a-heart.jpg\" alt=\"Tweetdeck XSS attack retweeting a heart\" width=\"600\" height=\"372\" \/><\/a><p id=\"caption-attachment-104091\" class=\"wp-caption-text\">Tweetdeck XSS attack retweeting a heart<\/p><\/div>\n<p>Others popped up alert boxes that contained helpful messages such as, \u201cRevoke TweetDeck\u2019s Twitter access now!\u201d<\/p>\n<p>There were also less helpful alert messages (via <a href=\"https:\/\/twitter.com\/addelindh\" target=\"_blank\">Andreas Lindh<\/a>):<\/p>\n<div id=\"attachment_104085\" style=\"width: 610px\" class=\"wp-caption aligncenter\"><a  data-lightbox=\"post-image\" href=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/06\/Unhelpful-Tweetdeck-XSS-alert-message.jpg\"><img loading=\"lazy\" decoding=\"async\" aria-describedby=\"caption-attachment-104085\" class=\"size-full wp-image-104085\" src=\"http:\/\/mybroadband.co.za\/news\/wp-content\/uploads\/2014\/06\/Unhelpful-Tweetdeck-XSS-alert-message.jpg\" alt=\"Unhelpful Tweetdeck XSS alert message\" width=\"600\" height=\"330\" \/><\/a><p id=\"caption-attachment-104085\" class=\"wp-caption-text\">Unhelpful Tweetdeck XSS alert message<\/p><\/div>\n<p>The Tweetdeck team promised to update users when services are back up.<\/p>\n<h3 id=\"related\">Related security news<\/h3>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/103773-sa-networks-snoopable-by-design.html\"><strong>SA networks snoopable by design<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/103735-new-bugs-found-in-software-that-caused-heartbleed-cyber-threat.html\"><strong>New bugs found in software that caused \u2018Heartbleed\u2019 cyber threat<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/103697-reset-the-net-take-back-your-online-privacy.html\"><strong>Reset the Net: take back your online privacy<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/security\/103633-who-sends-e-mail-securely-in-sa.html\"><strong>Who sends e-mail securely in SA?<\/strong><\/a><\/p>\n<p><a href=\"http:\/\/mybroadband.co.za\/news\/internet\/15315-warning-twitter-under-attack.html\"><strong>Warning: Twitter under attack<\/strong><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A cross-site scripting exploit has hit Twitter\u2019s own client software, Tweetdeck<\/p>\n","protected":false},"author":15,"featured_media":88401,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27],"tags":[36,25433,147,405,25431],"class_list":["post-104083","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","tag-active","tag-cross-site-scripting-attack","tag-tweetdeck","tag-twitter","tag-xss"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/104083"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=104083"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/104083\/revisions"}],"predecessor-version":[{"id":104093,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/104083\/revisions\/104093"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/88401"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=104083"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=104083"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=104083"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}