The most popular microblog has finally relaunched its application for social media professionals after it was shut down due to discovery of a vulnerability leaving users open to attack. A few days ago, one of the Twitter users trying to code an emoji heart inadvertently revealed a vulnerability which resulted in Twitter being forced to shut down its Tweetdeck app. Now Tweetdeck has been reopened after verifying its security fix, but a number of users keep reporting problems because of caching of the web-based client.
An ordinary Austrian teenager nicknamed Firo online was experimenting with Tweetdeck. Namely, the teenager was trying to get the service to display the Unicode “heart” character. While trying to do so, Firo discovered that anything in a tweet which ended with the heart symbol would be treated by the client as though it was HTML code. The latter could be used to change the formatting of tweets or put an alert on the screens. It took Firo only 14 minutes to notify Twitter about his surprising discovery, but it was already too late: the flaw was in the wild.
90 minutes later, the first “worm” (this would be the proper name for a computer attack which is self-replicating) was created and launched using the vulnerability by German IT student. His tweet used the same flaw to make any user of an affected version of Tweetdeck automatically retweet it. As a result, the tweet got over 80,000 retweets in a few days.
Now Twitter has relaunched the service and announced that the vulnerability is fixed. However, some of the users keep reporting problems. For instance, the Political Scrapbook blog was hit by that worm more than 12 hours after the company had announced the fix. Perhaps, the persistence is related to caching issues: the security experts confirm that on web-based services, both users’ PCs and their broadband providers may occasionally deliver outdated versions of webpages to save on bandwidth. This means, that the problem remains even though the bug has been fixed.
The microblogging company has been asked for the comment on what ordinary Twitter users can do to make sure they are protected from the flaw, but the company hasn’t provided any guideline thus far.
No comments:
Post a Comment