Much has already been written about the poor handling of the Data Retention and Investigatory Powers Bill (DRIP) so I won’t go into detail on the emergency legislation. Instead I’ll consider the validity of harvesting communication data en-masse which is at the heart of the bill.
If you’re using TweetDeck then I suggest you stop using it NOW and find an alternative, at least until further notice. A significant and easily exploited vulnerability has been discovered in TweetDeck, so far only confirmed when using the Google Chrome web browser.
The simplicity of this exploit makes it surprising that the vulnerability has laid undiscovered until now and we’re likely to see a wave of spam trying to take advantage of it. Worst case scenario is that someone will be able to gain control of your Twitter account, and then likely use it to further distribute spam or malware to your followers who would likely to trust something seemingly posted by you.
You will likely remain unaware that this happened and the hack does not need you to interact in any way for you to become a victim. It simply requires that someone you follow posts or retweets a maliciously crafted message, and that you’re using TweetDeck (on Chrome).
The vulnerability is called Cross-Site Scripting (or XSS for short) and it means that malicious code can be run in your web browser under the domain of the vulnerable website, in this case TweetDeck (and potentially Twitter in general) meaning that the hack has access to any information within your browser that belongs to that website, in particular the session tokens that identify you to Twitter in order to grant you access to your account.
Once you’ve closed TweetDeck you might also want to remove the application permissions from Twitter: Click the Gear icon in the top right of Twitter.com and then Settings, then Apps down the left hand side, then find TweetDeck in the list and click “Revoke Permissions” along with any other apps that you’ve forgotten about and no longer use.
It seems the vulnerability was discovered by __Freakyclown__ and it’s too early for TweetDeck/Twitter to have provided any official reply or fix. I’ll provide an update as more information becomes available…
Update: Shortly after this issue went viral Twitter suspended the TweetDeck service, shortly after that the service was restored with a fix in place. The issue started making waves around 4:30pm GMT, service was suspendee around 6:00pm and restored around 7:00pm. Kudos to Twitter for their fast action.
I’ve been quiet for a while, sorry. Mainstream media has been peddling more FUD than normal over the past few days so I feel obliged to weigh in with my opinion and some clarification.
Not only are we fighting a losing battle but we’re having to battle the good guys!
Picture the scene; you receive a link that says it’s from your bank, the webpage that opens looks like your bank and they want you to give them some information… what do you do?