Security Flaw in Tweetdeck

If you’re using TweetDeck then I suggest you stop using it NOW and find an alternative, at least until further notice.  A significant and easily exploited vulnerability has been discovered in TweetDeck, so far only confirmed when using the Google Chrome web browser.

The simplicity of this exploit makes it surprising that the vulnerability has laid undiscovered until now and we’re likely to see a wave of spam trying to take advantage of it.  Worst case scenario is that someone will be able to gain control of your Twitter account, and then likely use it to further distribute spam or malware to your followers who would likely to trust something seemingly posted by you.

You will likely remain unaware that this happened and the hack does not need you to interact in any way for you to become a victim.  It simply requires that someone you follow posts or retweets a maliciously crafted message, and that you’re using TweetDeck (on Chrome).

The vulnerability is called Cross-Site Scripting (or XSS for short) and it means that malicious code can be run in your web browser under the domain of the vulnerable website, in this case TweetDeck (and potentially Twitter in general) meaning that the hack has access to any information within your browser that belongs to that website, in particular the session tokens that identify you to Twitter in order to grant you access to your account.

Once you’ve closed TweetDeck you might also want to remove the application permissions from Twitter: Click the Gear icon in the top right of Twitter.com and then Settings, then Apps down the left hand side, then find TweetDeck in the list and click “Revoke Permissions” along with any other apps that you’ve forgotten about and no longer use.

It seems the vulnerability was discovered by  and it’s too early for TweetDeck/Twitter to have provided any official reply or fix.  I’ll provide an update as more information becomes available…

Update: Shortly after this issue went viral Twitter suspended the TweetDeck service, shortly after that the service was restored with a fix in place. The issue started making waves around 4:30pm GMT, service was suspendee around 6:00pm and restored around 7:00pm. Kudos to Twitter for their fast action.

Fake Facebook Email

A breakdown of a scam that starts with an email that looks like it has come from Facebook

Facebook Scam Email
I received an email that at first appearance looks to be from Facebook but the first clue that it’s fake is that it arrived at an email account that I’ve never used with Facebook (like I’d trust them with anything meaningful! pah). Here I take a look at the  scam, the players and the played…
Continue reading

Privacy Apps Don’t All Measure Up

A look at several mobile apps (for Android and iPhone) that make empty promises to protect your privacy

Privacy App IconsThe best advice when it comes to privacy and photos and videos is “don’t take a photo that you don’t want your boss/parents/grandparents to see” but this advice is rarely heeded. In a cheap attempt to profit from people’s privacy worries there are several apps on the market that promise to protect your dignity from prying eyes. Here I take a look at several such apps and demonstrate how they fail to measure up…

Continue reading

DNS and Web Security

What is DNS and why it is important for security on the web.

Decorative Image, PC Firewall WebLast week a pretty big mishap slipped by with only the briefest mention in techy news circles. The Domain Registrar for Ireland was compromised resulting in web traffic looking for the Yahoo and Google Irish websites being redirected to unofficial counterfeit websites. You’ll be forgiven if this doesn’t mean much to you but suffice to say it could have been very very serious. In this post I’ll explain what this means to the average web user…

Continue reading

Android Advertising Networks

An eye opener on advertising networks and what they can do with your Android mobile phone

Google Android LogoCoinciding with some recent news articles on Android, privacy, applications and advertising networks, I’ve come across an app that I’ve found very insightful. The app is Ad Network Detector from Lookout who also provide the Security and Antivirus protection that I use for my Android handset.  I thought I’d share my findings so you can decide whether it’s useful to you or not…
Continue reading

Google and Privacy

A review of recent changes to Google’s privacy policy

Google LogoOn Thursday 1st March Google made some changes to their privacy policy and although they’ve done a lot to forewarn the public, the changes are so controversial that they are being legally challenged in some countries. This post takes a look at what the changes mean to you and what to do about them…

Continue reading

WiFi Security

Some quick pointers on how to stay safe when using wireless networks

Decorative Image - wirelessIn recent years wireless networking (WiFi) has become so common place that you’ll find it in most homes, businesses and social venues like cafés, bars and hotels. Some areas have begun rolling out metropolitan networks covering shopping centres, air ports or whole city centres.  The convenience of wireless networks however comes with a trade-off in security that is often taken for granted or overlooked entirely. Here I’ll go over a few quick fixes to help you stay safe…

Continue reading