Merry Christmas - it's another Twitter XSS bug!

Update: fixed now, less than 8 hours later. Isn't technology marvellous ? Recently Twitter bought TweetDeck, a provider of custom twitter-browsing clients which were popular amongst many Twitterati for dealing with bulk tweet-management. Twitter...

Share

Update: fixed now, less than 8 hours later. Isn't technology marvellous ?

Recently Twitter bought TweetDeck, a provider of custom twitter-browsing clients which were popular amongst many Twitterati for dealing with bulk tweet-management.

Twitter subsequently axed the main TweetDeck client, replacing it with a centralised web service and a series of per-platform shims (Mac, Windows) that present the web service as an "app" - and for those with just a browser, the same backend is available as web.tweetdeck.com.

Therein lies the oops.

A little over a year ago the Twitterverse was all a flutter with the onMouseOver incident where it was discovered that Twitter's own web client could be confused into mistaking medium for message, and thus bits of HTML that were - like any other message - legitimately tweeted, could become exposed to the web browser's engine and treated as something to be rendered, ie: processed, executed and drawn on viewers' screens.

This is bad - in the security industry we call this a XSS or Cross-site Scripting bug, because it allows a person viewing one page to be transported into executing code that is taken from another entirely different website.

Running Javascript code across different web sites. See where the name comes from?

This morning I discovered one of the same, in TweetDeck, by typing in bits of HTML - and latterly, Javascript - into my Tweetstream and Facebook status updates; albeit that actual tweets are properly rendered, I found that Facebook status updates are not similarly sanitised, and that HTML embedded in them will be executed by the TweetDeck web client.

There was no point in being subtle about the discovery because with 1400 followers - including some serious security geeks - someone would be bound to work out what I was up to; thus I've logged the bug with Twitter and we can move on.

Workaround: If you use TweetDeck's web client I recommend you remove all Facebook accounts from it until this gets sorted out; it shouldn't take long, evidently someone in the transition team missed the lesson last time round, but it should only need fixing once.

Or so we hope.

In the meantime: I am treating this casually and laconically because:

  1. TweetDeck Web Client is new and fairly unpopular with its base, so exposure is slight.

  2. I have had reports that the per-platform shim applications do not demonstrate this bug.

  3. I wish to avoid another media firestorm. XSS bugs exist. They will never be fully expunged. Whining will not help. Oh dear. How sad. Never mind.

Someone might try to turn this into a worm but if they do it will hit a small population who have an easy workaround (see above) - so rules of full disclosure suggest that spreading understanding of the risk will do more good than harm.

Fie upon anyone who tells you otherwise.

Merry Christmas.

Follow me as @alecmuffett on Twitter and this blog via the RSS feed.