Twitter plugged a security vulnerability in its popular TweetDeck application Wednesday, after disabling the system for over an hour earlier in the day to fix it.
People logged into the service during the breach got odd pop-up messages. Their systems also randomly re-tweeted messages containing potentially malicious computer code scripts.
When the site was taken down, TweetDeck tweeted, “We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.”
A Twitter spokesman declined to comment.
The entire episode may have been inadvertently caused by a 19-year-old Austrian programmer. According to multiple sources, the young man, whose first name is Florian, realized that using “&hearts” makes a “♥” symbol in the coding language HTML used on the web.
He told CNN that as he was experimenting, he found that the heart symbol created an opening in the site’s software. That in turn made it possible to inject computer program commands via tweets.
The young man alerted Twitter and posted his finding online. Others then used it to hijack the site before Twitter programmers could fix the problem.
Florian’s Twitter account was quickly deluged by journalists and angry Twitter users.
In response to interview requests, he replied “I don’t want any more publicity. Everyone is hating me, because I reported a major security-bug in TweetDeck. Enough said.”
It took Twitter programmers several hours to plug the hole. Earlier in the day, Twitter pushed out a code fix that was supposed to close the security hole. However it didn’t work.
At that point, the company tweeted out, “A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.”
Less than an hour later, the site was taken down. It went up again by mid afternoon.
TweetDeck is a free download for desktop computers, iPhones, Google’s Android devices and the Google Chrome browser. The software allows users to organize their Twitter streams and offers a more user friendly view of Twitter feeds.
“Tweetdeck appears to have jumped on this issue and patched it, but we’re still seeing it spread like wildfire through Twitter,” said Trey Ford, a security expert at Rapid7, a security firm based in Boston.
“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we’re seeing is a “worm” that self-replicates by creating malicious tweets,” he said.
It was originally reported that the vulnerability only affected the app’s desktop program and only when it was run on Google’s Chrome browser. However users on other platforms, including Internet Explorer 9, are also reporting getting hacked
According to the website Verge, users reported getting random pop-up windows containing messages such as “Yo!” or “Please close now TweetDeck [sic], it is not safe.”
Twitter bought TweetDeck in 2011 for about $40 million.
Released in 2008, it was the first third-party Twitter application to catch on with Twitter users.