Those kids and their toys. Well, it is more along the lines of kids and business toys. TweetDeck went down today but not for the same reason that many sites go down during the course of the day. This wasn’t someone’s evil plot to compromise an app’s security or for evil purposes. It turns out that it was done by a 19-year-old Austrian guy that was wondering “if this will work.”
Early on Wednesday morning, Florian ran a simple test that contained simple tags, as well as a heart symbol. He added a message, ‘I wonder if this will work…’ Surprisingly for him, the commands that were executed through plaintext came through just fine from TweetDeck to Twitter.
The main source of the issue was this vulnerability was discovered back in 2011 and seemed to not have been securely patched. Florian even reported the vulnerability publicly to @TweetDeck, hoping that someone monitoring their mentions would see it. Users of TweetDeck started seeing warning messages through its own XSS bug that the service was no longer secure.
Florian tried some experiments to see how the system would react by using the ‘heart’ symbol on the service. After a few hours, TweetDeck was back up and running but requested that users log out of their accounts and log back in for the patch to fully install.
Normally, Twitter would have mangled the plaintext issue and the tweet would have been distorted or blocked from someone’s feed. However, with the fact that it made it through TweetDeck’s security made it vulnerable for someone to send our malicious content via Twitter. That would be equivalent to someone sending you a link in an email from someone you know.
Fortunately, this ‘test’ was constructed by a kid that simply stumbled onto some plaintext and decided to see if it would work. TweetDeck managed to patch the vulnerability and is safe for now. The downside with technology based companies is that when someone finds a vulnerability, very few times do they mention it to their security team. Many times they do bad things before someone else discovers the issue.