Twitter shuts down Tweetdeck after XSS flaw leaves users vulnerable to account hijack
28 replies, posted
[img]https://pbs.twimg.com/media/Bp3QnEfCYAAA-WY.png[/img]
A "cross-site scripting" (XSS) vulnerability has been discovered on Twitter's Tweetdeck client, leaving millions of users open to account hijacking and more.
Twitter has shut down Tweetdeck while it fixes the problem, despite earlier promising that it had been fixed. The original advice offered by the official Tweetdeck account claimed that the flaw had been fixed, and that users should log out and back in to their accounts to get the update. [URL="http://www.theguardian.com/technology/2014/jun/11/twitter-tweetdeck-xss-flaw-users-vulnerable"][Click here to continue reading][/URL]
Don't know how many of you guys are using it on Chrome, but I was affected. My account made random retweets. Will be best to change your passwords too.
XSS means there's no need to change your password cause they're using your login cookie, not your password
(it's like the "i am a gay ____" from a while back)
I've had this happen to me a while back too, I hardly ever tweet so I ended up being blocked by some people before I even realized it. :/
Psst....
[url=http://facepunch.com/showthread.php?t=1400937]http://facepunch.com/showthread.php?t=1400937[/url]
EDIT: I'm a goof. This thread is in Sensationalist Headlines, the one I linked to is in In The News Node. Whoops!
[URL="http://www.businessinsider.com/tweetdeck-major-security-vulnerability-twitter-2014-6"]I saw an article about this pop up earlier.[/URL]
Apparently someone had taken advantage of the vulnerability and posted a tweet with some code that ended up getting retweeted like 35k times. I wonder if Twitter will ban his ass for doing it.
[QUOTE=Tsyolin;45073695][URL="http://www.businessinsider.com/tweetdeck-major-security-vulnerability-twitter-2014-6"]I saw an article about this pop up earlier.[/URL]
Apparently someone had taken advantage of the vulnerability and posted a tweet with some code that ended up getting retweeted like 35k times. I wonder if Twitter will ban his ass for doing it.[/QUOTE]
It's the software developers job to ensure stuff like this doesn't happen. Can't really ban someone for abusing something that he shouldn't be able to abuse
Saw this happen, my account did a couple retweets.
It's nice that most of the popups/tweets were actually just calls to attention/warnings about the flaw.
[QUOTE=djjkxbox360;45073878]It's the software developers job to ensure stuff like this doesn't happen. Can't really ban someone for abusing something that he shouldn't be able to abuse[/QUOTE]
but... he's still abusing it which is a very good reason for twitter to ban him.
security flaws can appear in any application, you can have the best developers and you will always have a chance of an exploit appearing.
[QUOTE=Tsyolin;45073695][URL="http://www.businessinsider.com/tweetdeck-major-security-vulnerability-twitter-2014-6"]I saw an article about this pop up earlier.[/URL]
Apparently someone had taken advantage of the vulnerability and posted a tweet with some code that ended up getting retweeted like 35k times. I wonder if Twitter will ban his ass for doing it.[/QUOTE]
@dergeruhn. I don't use twitter very much but I noticed this when two totally unrelated accounts I follow retweeted him.
[QUOTE=Silentfood;45073936]but... he's still abusing it which is a very good reason for twitter to ban him.
security flaws can appear in any application, you can have the best developers and you will always have a chance of an exploit appearing.[/QUOTE]
And you should be quick to fix it, or shut the application down
[QUOTE=GammaFive;45073646]I've had this happen to me a while back too, I hardly ever tweet so I ended up being blocked by some people before I even realized it. :/[/QUOTE]
what did they say using your account?
hopefully nothing too shitty
[QUOTE=LordCrypto;45073422]XSS means there's no need to change your password cause they're using your login cookie, not your password
(it's like the "i am a gay ____" from a while back)[/QUOTE]
I was affected by that :v:
[url]http://facepunch.com/showthread.php?t=1159897&p=34474946&viewfull=1#post34474946[/url]
[QUOTE=djjkxbox360;45074034]And you should be quick to fix it, or shut the application down[/QUOTE]
or maybe if you find the exploit, you report it directly to twitter? "going open" with it is a huge security risk to a platform, you're showing it to [url=https://twitter.com/search?f=realtime&q=%3Cscript%20class%3D&src=typd]people who [b]can[/b] cause real problems[/url].
[QUOTE=Silentfood;45074070]or maybe if you find the exploit, you report it directly to twitter? "going open" with it is a huge security risk to a platform, you're showing it to [url=https://twitter.com/search?f=realtime&q=%3Cscript%20class%3D&src=typd]people who [b]can[/b] cause real problems[/url].[/QUOTE]
Most people who find an exploit will exploit it, it's not something that happens often so people make the most of it
Access has been reinstated
glad i never used tweetdeck
[QUOTE=djjkxbox360;45073878]It's the software developers job to ensure stuff like this doesn't happen. Can't really ban someone for abusing something that he shouldn't be able to abuse[/QUOTE]
You can and it happens all the time. It doesn't matter much if the exploit was in the software from the word go or not, if you abuse to to be an asshole you are subject to a ban. It's the same reason 99% of game servers will ban someone for exploiting, say, an infinite ammo glitch.
[QUOTE=TestECull;45075148]You can and it happens all the time. It doesn't matter much if the exploit was in the software from the word go or not, if you abuse to to be an asshole you are subject to a ban. It's the same reason 99% of game servers will ban someone for exploiting, say, an infinite ammo glitch.[/QUOTE]
It doesn't happen all the time at all, and most cheats dont work in modern online games because the data is stored server side. Of course you wouldn't understand you're not a developer
I'm using firefox and wasn't effected, although nobody I follow actually got hit by the exploit while I had tweetdeck open. Really angry this was used for abuse rather than being directly reported to the Twitter staff, these kids are gross.
[QUOTE=djjkxbox360;45076936]It doesn't happen all the time at all, and most cheats dont work in modern online games because the data is stored server side. Of course you wouldn't understand you're not a developer[/QUOTE]
Honestly, you know nothing about exploits and cheating. Most games have exploits based on bad trust clients are given. All you need is basic understanding of reverse engineering and finding what you can send to the game server. When you say most cheats don't work, the source engine itself has been riddled with exploits, they just run VAC over to prevent cheaters from continuing to cheat.
"not a developer"
lmao, really?
On-topic, a lot of websites get [url=http://www.forbes.com/sites/jameslyne/2013/09/06/30000-web-sites-hacked-a-day-how-do-you-host-yours/]exploits abused[/url], and I mean [url=https://pwnedlist.com/stats/targets-map]a lot[/url]. Though I might actually start using TweetDeck again, it's actually a nice interface.
I do know about exploits actually, and yes a lot of websites get hacked, ones that no one knows about, in terms of websites people actually use, exploits are rare.
Only cheats that I know work on the Source engine are wallhack and aimbot, because they're both hard to track, and that's pretty much standard for most modern online games
[QUOTE=djjkxbox360;45079917]I do know about exploits actually, and yes a lot of websites get hacked, ones that no one knows about, in terms of websites people actually use, exploits are rare.
Only cheats that I know work on the Source engine are wallhack and aimbot, because they're both hard to track, and that's pretty much standard for most modern online games[/QUOTE] What about the previous source exploit that allowed you to download/upload any file from servers? People used it to download the server config and get the rcon password from it.
[editline]12th June 2014[/editline]
[QUOTE=LordCrypto;45073422]XSS means there's no need to change your password cause they're using your login cookie, not your password
(it's like the "i am a gay ____" from a while back)[/QUOTE] It is possible for XSS to steal passwords if you let the website with the XSS exploit remember your password, since javascript can get password fields (which is automatically filled in by the browser if you set it to remember).
[QUOTE=djjkxbox360;45076936]It doesn't happen all the time at all, and most cheats dont work in modern online games because the data is stored server side. Of course you wouldn't understand you're not a developer[/QUOTE]
If it hasn't been patched yet I know a Source Engine exploit that lets you execute arbitrary code on other people without even owning the server
EDIT: probably is patched, i think it was abused in that CSGO attack that got people VAC banned for joining matchmaking servers
And when was the last exploit before that? They don't happen as frequently as you like to think
All I saw was this
[t]http://i.imgur.com/cIKLUfF.png[/t]
and I was really, really confused
[QUOTE=djjkxbox360;45083169]And when was the last exploit before that? They don't happen as frequently as you like to think[/QUOTE]
There used to be insane amounts of exploits that basically printed stuff to the server console. You could just spam those like crazy and crash the server.
[QUOTE=djjkxbox360;45073878]It's the software developers job to ensure stuff like this doesn't happen. Can't really ban someone for abusing something that he shouldn't be able to abuse[/QUOTE]
And it's the exploit discoverer's job to tell the developers about the exploit so they can get a fix in place. Not, you know, exploit it for their own ends.
Robbery doesn't become legal just because it's stupid to leave your door unlocked.
[QUOTE=MegaJohnny;45083867]And it's the exploit discoverer's job to tell the developers about the exploit so they can get a fix in place. Not, you know, exploit it for their own ends.
Robbery doesn't become legal just because it's stupid to leave your door unlocked.[/QUOTE]
Lots of companies are gigantic assholes with bounties
It can be a lot easier and profitable to just sell it to some russians and be done with it
[QUOTE=MegaJohnny;45083867]And it's the exploit discoverer's job to tell the developers about the exploit so they can get a fix in place. Not, you know, exploit it for their own ends.
Robbery doesn't become legal just because it's stupid to leave your door unlocked.[/QUOTE]
It's not illegal to exploit something unless you're getting personal info or doing something that's obviously illegal. Nothing illegal happened here
ZPS Dev got a tweet posted by someone else :/
Sorry, you need to Log In to post a reply to this thread.