Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter

This morning as I was logging into various social networks I was presented with a popup from an XSS on Tweet Deck. This obviously set every hair on my neck on fire because it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow which had the following JavaScript code as an example – it should be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute in the browser.

Screen Shot 2014-06-11 at 9.41.54 AM

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

Screen Shot 2014-06-11 at 9.45.29 AM

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

Screen Shot 2014-06-11 at 9.56.21 AM

To be safe though, we recommend logging out of Tweetdeck, revoking access in your Twitter profile and resetting all connections if you want to continue to use the application.

Screen Shot 2014-06-11 at 9.56.04 AM

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.

Twitter defacement

It is all over the news today that Twitter was defaced yesterday. Lots of speculation regarding what happened, but that’s the alert I received yesterday from Sucuri Network Monitor:

Sucuri nbim: twitter.com DNS modified

Modifications:
3a4
< twitter.com has address 128.121.146.100
< twitter.com has address 168.143.162.52
> twitter.com has address 66.147.242.88

This alert was generated by the Sucuri Network Integrity Monitor. Log in to your dashboard at http://sucuri.net.

So we can see that it was indeed a DNS redirection attack and that probably their servers weren’t attacked directly.

If you are curious were they are hosting their DNS, here it is:

Domain Name: TWITTER.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.P26.DYNECT.NET
Name Server: NS2.P26.DYNECT.NET
Name Server: NS3.P26.DYNECT.NET
Name Server: NS4.P26.DYNECT.NET
Status: clientTransferProhibited
Updated Date: 27-may-2009
Creation Date: 21-jan-2000
Expiration Date: 21-jan-2018

If you tried to access their services last night, we recommend changing your password ASAP. If you want to monitor your own domain names for this kind of issue (for free), visit http://sucuri.net

Twitter is down, productivity is up

Twitter has been down for more than one hour today and I suddenly noticed an increased productivity from my peers… any correlation?

Maybe that’s related to the latest “worm”, where thousands of users were posting “Today was so exciting! Made $124 in 20 minutes! if ur interested, ..”? Maybe not?

What we know is that Twitter is very unstable and have a big lack in security… Maybe they just got hacked?

When it is back, you can search for: http://twitter.com/#search?q=%22today%20was%20so%22 to see the effect of this latest attack.

EDIT: I was partially right. Twitter is suffering from a DOS attack: http://blog.twitter.com/2009/08/denial-of-service-attack.html#links

Check that short URL before clicking on it

URL Un-shortening service supporting all shortening sites (bit.ly, tinyurl, diff, etc) that also checks the URL using google safe browsing and Siteadvisor:

http://sucuri.net/index.php?page=tools&title;=check-url

Twitter blocked in China

Twitter was blocked by the great firewall of China today…

… On another news, today China experienced a huge boost in productivity. No one knows why.

Twitter account spam checking

Use this tool to test if a twitter account is spammer or not. Link: http://sucuri.net/index.php?page=docs&title;=twitter.