Much has already been written about the poor handling of the Data Retention and Investigatory Powers Bill (DRIP) so I won’t go into detail on the emergency legislation. Instead I’ll consider the validity of harvesting communication data en-masse which is at the heart of the bill.
If you’re using TweetDeck then I suggest you stop using it NOW and find an alternative, at least until further notice. A significant and easily exploited vulnerability has been discovered in TweetDeck, so far only confirmed when using the Google Chrome web browser.
The simplicity of this exploit makes it surprising that the vulnerability has laid undiscovered until now and we’re likely to see a wave of spam trying to take advantage of it. Worst case scenario is that someone will be able to gain control of your Twitter account, and then likely use it to further distribute spam or malware to your followers who would likely to trust something seemingly posted by you.
You will likely remain unaware that this happened and the hack does not need you to interact in any way for you to become a victim. It simply requires that someone you follow posts or retweets a maliciously crafted message, and that you’re using TweetDeck (on Chrome).
The vulnerability is called Cross-Site Scripting (or XSS for short) and it means that malicious code can be run in your web browser under the domain of the vulnerable website, in this case TweetDeck (and potentially Twitter in general) meaning that the hack has access to any information within your browser that belongs to that website, in particular the session tokens that identify you to Twitter in order to grant you access to your account.
Once you’ve closed TweetDeck you might also want to remove the application permissions from Twitter: Click the Gear icon in the top right of Twitter.com and then Settings, then Apps down the left hand side, then find TweetDeck in the list and click “Revoke Permissions” along with any other apps that you’ve forgotten about and no longer use.
It seems the vulnerability was discovered by __Freakyclown__ and it’s too early for TweetDeck/Twitter to have provided any official reply or fix. I’ll provide an update as more information becomes available…
Update: Shortly after this issue went viral Twitter suspended the TweetDeck service, shortly after that the service was restored with a fix in place. The issue started making waves around 4:30pm GMT, service was suspendee around 6:00pm and restored around 7:00pm. Kudos to Twitter for their fast action.
I’ve been quiet for a while, sorry. Mainstream media has been peddling more FUD than normal over the past few days so I feel obliged to weigh in with my opinion and some clarification.
Not only are we fighting a losing battle but we’re having to battle the good guys!
Picture the scene; you receive a link that says it’s from your bank, the webpage that opens looks like your bank and they want you to give them some information… what do you do?
A breakdown of a scam that starts with an email that looks like it has come from Facebook
I received an email that at first appearance looks to be from Facebook but the first clue that it’s fake is that it arrived at an email account that I’ve never used with Facebook (like I’d trust them with anything meaningful! pah). Here I take a look at the scam, the players and the played…
A look at several mobile apps (for Android and iPhone) that make empty promises to protect your privacy
The best advice when it comes to privacy and photos and videos is “don’t take a photo that you don’t want your boss/parents/grandparents to see” but this advice is rarely heeded. In a cheap attempt to profit from people’s privacy worries there are several apps on the market that promise to protect your dignity from prying eyes. Here I take a look at several such apps and demonstrate how they fail to measure up…
What is DNS and why it is important for security on the web.
Last week a pretty big mishap slipped by with only the briefest mention in techy news circles. The Domain Registrar for Ireland was compromised resulting in web traffic looking for the Yahoo and Google Irish websites being redirected to unofficial counterfeit websites. You’ll be forgiven if this doesn’t mean much to you but suffice to say it could have been very very serious. In this post I’ll explain what this means to the average web user…
An eye opener on advertising networks and what they can do with your Android mobile phone
Coinciding with some recent news articles on Android, privacy, applications and advertising networks, I’ve come across an app that I’ve found very insightful. The app is Ad Network Detector from Lookout who also provide the Security and Antivirus protection that I use for my Android handset. I thought I’d share my findings so you can decide whether it’s useful to you or not…
Some quick pointers on how to stay safe when using wireless networks
In recent years wireless networking (WiFi) has become so common place that you’ll find it in most homes, businesses and social venues like cafés, bars and hotels. Some areas have begun rolling out metropolitan networks covering shopping centres, air ports or whole city centres. The convenience of wireless networks however comes with a trade-off in security that is often taken for granted or overlooked entirely. Here I’ll go over a few quick fixes to help you stay safe…