TweetDeck, the platform that many use in order to post and look after their tweets, was hacked on Wednesday. It fell victim to XSS, a cross-site scripting that hackers utilize in order to glean personal user information and to get into individual Twitter accounts.
Many users on Twitter saw little hearts posted all over the site. These hearts and the code used to input them (“&hearts”) actually revealed a flaw in the Twitter code that allowed it to be hacked. The ability to cross-site script Twitter had existed for quite some time, and a hacker decided to gain access to the site. This hacker, a young Austrian programmer with the Twitter handle @firoxl, tweeted out the cross-site script with the heart so that other hackers could take advantage of the information.
While some hackers did indeed use the code for their own objectives, other users on Twitter mistakenly thought that they were being trolled in much the way that the Rick Roll joke spread like wildfire on the Internet.
According to Zscaler vice president of security research Michael Sutton, the hacking situation was a “Twitter worm” that hadn’t surfaced in a long while. “XSS remains the most common vulnerability seen in web apps,” he explained via the Inquirer. “It remains a common flaw even on popular internet properties as it can be challenging to properly validate all user supplied input, especially when trying to be flexible and allow users to post rich media content.”
The hacker himself eventually even regretted his actions, as @firoxl claimed that he was “getting tired of this.” He claims that he didn’t hack the site but rather found the bug that made hacking TweetDeck possible. “I wish this whole thing never happened,” he tweeted out after the incident.
On Wednesday, Twitter disabled TweetDeck for at least an hour in an attempt to repair the damage. However, further damage occurred when users attempted to log in. Some would see strange messages. Others still reported retweets with computer scripts that may or may not have been benign.
TweetDeck made a series of posts on Twitter about the hacking. “We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up,” TweetDeck posted through Twitter on Wednesday.
That same day, TweetDeck managed to fix its code problems and returned to functionality. The TweetDeck Twitter account tweeted out two posts confirming this. “A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix,” read the first, while the second said: “We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for the inconvenience.”