This content is part of the Essential Guide: Disaster prevention and mitigation strategies: Strike early and often
News Stay informed about the latest enterprise technology news and product updates.

Love gesture unmasks XSS vulnerability, Twitter's stale Web security

It started with a gesture of love and resulted in an unintentional TweetDeck hack that exposed an overlooked XSS vulnerability. This story and more in Searchlight.

Wednesday's TweetDeck glitch frustrated me and put me off my social media game for an entire hour. (And, yes, that's a significant chunk of time when we're talking Twitter.) The annoying code-infused pop-up tweet -- which my account automatically retweeted -- I later learned was not some nefarious plot to bring down the Twitterverse, but the result of a 19-year-old accidental hacker just trying to spread some love with a red heart.

The Internet worm-like bug rapidly spread across the Web, hijacking users' TweetDeck software, the Twitter-owned website used to schedule tweets in the future and track trends. Like a typical worm, the code instructed affected TweetDeck accounts (including @NYTimes, @CBCNews and @BBCBreaking) to share the message as a retweet.

In a Twitter discussion with CNN, the accidental hacker from Austria explained he was simply experimenting with embedding the "♥" symbol into his tweets using the "&hearts" code when he uncovered the TweetDeck weakness. The user, *andy, continued to add "&hearts" to his tweets to create a pop-up on his own TweetDeck dashboard:

By the time he told Twitter about the cross-site scripting (XSS) vulnerability, it was too late and his tweet had spread like rapid fire. The whole fiasco was what ZDNet described as a "comedy of errors -- and misreporting," clarifying that *andy didn't "hack" TweetDeck; rather the bug always existed and he kindly pointed it out publicly.

"Twitter has just had a self-retweeting tweet, which should never have happened," explained Tom Scott in a YouTube video. "This is Web security 101. If you don't know this stuff, you shouldn't be designing commercial websites." In this instance, Twitter was lucky hackers didn't use the vulnerability for a malicious attack -- but would your company be so lucky?

CIO Searchlight

To be fair, the bug was quickly fixed, so someone at Twitter had passed Web security 101. But could it have been prevented in the first place? ZDNet contributor Larry Seltzer suggested that Twitter -- the 21st century champion of free speech -- has become close-minded when it comes to its TweetDeck. Since acquiring the Web property back in May 2011, Seltzer argued that Twitter has halted "any real development" on the program by tightening up the rules for using their application programming interface.

Blogger Geoffrey Liu also came down hard on Twitter engineers, suggesting that a little outside help could have prevented the "heart attack."

"A well-secured Web service would never allow such code to perform malicious actions. Behind the scenes, all text that goes through the Web server gets sanitized so it is simply displayed as text and not run like a script. Unfortunately for TweetDeck, its engineers forgot to vaccinate such tweets, allowing scripts to run inside a tweet instead of displaying as benign text."

For CIOs, the snafu is another reminder that the oft pooh-poohed XSS vulnerability can cause major headaches and that everything from basic websites to social media systems to sophisticated e-commerce sites cannot be run on automatic pilot. Unanticipated hacks are inevitable (hello, Murphy's Law) -- is your organization prepared?

  • The World Cup is underway and refs are going high-tech. This year, referees are sporting smart watches that alert them to goals with text and vibrate features. (Let's hope they can hear those alerts over the roar and rumble of the crowd.) The watches are a part of FIFA's first ever "unhackable," closed-loop goal line detection system tied to cameras that snap 500 shots per second. (Let's see if *andy can hack this one!)
  • SynapDx, out of Lexington, Massachusetts, searches hundreds of thousands of genetic markers in 880 children across 20 states, fishing for clues about autism. The kicker? They do it with a 22-person staff, some laptops and a good Internet connection. This success story has been brought to you by "The Era of Cloud Computing."
  • A Hong Kong venture fund management company, Deep Knowledge Ventures, appointed an algorithm to its board last month. The firm is using the algorithm, VITAL, as an independent decision maker when deciding which age-related disease drugs and regenerative medicine projects to invest in.
  • Having trouble pairing IT staff names with faces? Do you find it difficult to distinguish between what people say and what they mean? Recent advances in facial recognition technology could give Google Glass users the ability to detect discrepancies between what people say in words with what their faces emotionally reveal. This certainly toys with the sarcastic and lying bunch out there.

Previously in Searchlight, What it takes to be a CIO and CIO lessons from Apple's Beats purchase. Let us know what you think about the story; email Emily McLaughlin, associate site editor.

Dig Deeper on Risk and compliance strategies and best practices

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What needs to happen to prevent an XSS vulnerability?