Merry Christmas - it's another Twitter XSS bug!
Festive fodder for Cybersecuritypseuds
Published 14:31, 20 December 11
Update: fixed now, less than 8 hours later. Isn't technology marvellous ?
Recently Twitter bought TweetDeck, a provider of custom twitter-browsing clients which were popular amongst many Twitterati for dealing with bulk tweet-management.
Twitter subsequently axed the main TweetDeck client, replacing it with a centralised web service and a series of per-platform shims (Mac, Windows) that present the web service as an "app" - and for those with just a browser, the same backend is available as web.tweetdeck.com.
Therein lies the oops.
A little over a year ago the Twitterverse was all a flutter with the onMouseOver incident where it was discovered that Twitter's own web client could be confused into mistaking medium for message, and thus bits of HTML that were - like any other message - legitimately tweeted, could become exposed to the web browser's engine and treated as something to be rendered, ie: processed, executed and drawn on viewers' screens.
This is bad - in the security industry we call this a XSS or Cross-site Scripting bug, because it allows a person viewing one page to be transported into executing code that is taken from another entirely different website.
There was no point in being subtle about the discovery because with 1400 followers - including some serious security geeks - someone would be bound to work out what I was up to; thus I've logged the bug with Twitter and we can move on.
Workaround: If you use TweetDeck's web client I recommend you remove all Facebook accounts from it until this gets sorted out; it shouldn't take long, evidently someone in the transition team missed the lesson last time round, but it should only need fixing once.
Or so we hope.
In the meantime: I am treating this casually and laconically because:
TweetDeck Web Client is new and fairly unpopular with its base, so exposure is slight.
I have had reports that the per-platform shim applications do not demonstrate this bug.
Someone might try to turn this into a worm but if they do it will hit a small population who have an easy workaround (see above) - so rules of full disclosure suggest that spreading understanding of the risk will do more good than harm.
Fie upon anyone who tells you otherwise.