sciencetech-blog

comments

TweetDeck was hacked Wednesday after an Austrian programming teenager made a cute love heart symbol.

The teen, whose name is Florian, said he discovered early yesterday that '&hearts' made a heart symbol in HTML and in turn created an opening in TweetDeck's software. This allowed someone to inject computer program commands via a tweet, in other words a software bug.

'It wasn't a hack. It was some sort of accident,' he told CNN, choosing to withhold his last name.

He tried it again, and again, until he made it create a pop-up on his own TweetDeck dashboard. He then announced 'Vulnerability discovered in TweetDeck. \o/' before informing Twitter about the problem.

Alert: The teen, who's name is Florian, said he discovered that '&hearts' made a heart symbol in HTML and in turn created an opening in TweetDeck's software. It was then abused by @derGeruhn, pictured

But it was too late. A hacker with the handle @derGeruhn had already attacked the vulnerability causing more than 40,000 users to automatically, involuntarily, retweet a cryptic line of code.

That account belongs to a 'single, strange, arrogant' German programmer and college student named Andy Perdana.

Perdana, according to the Washington Post, has been on Twitter with the handle @derGeruhn since 2012, a year after he began studying computer science at the University of Applied Science in Karlesruhe, Germany.

He's contributed code to online gaming projects on Github, and maintains a profile on the encrypted messaging site Keybase.

And @derGeruhn later Wednesday tweeted that his message was a prank.

Meanwhile, Florian, who goes by Firo, feels terrible about the whole thing.

'It's horror that TweetDeck made that mistake,' he told CNN. 'It's horror that [hackers] are using this issue. I don't know. I'm sad in a way.'

Twitter was forced to shut down its popular application for several hours following the major security alert.

Users of the Tweetdeck Chrome plugin were greeted with this message after hackers found a flaw in its code

Users of the Chrome browser version of the app reported getting random pop-up windows containing messages such as 'Yo!' or 'Please close now TweetDeck [sic], it is not safe.'

he firm took to Twitter to acknowledge the bug, first saying 'We've temporarily taken TweetDeck services down to assess today's earlier security issue,' it said.

'We'll update when services are back up.'

Earlier in the day, Twitter pushed out a code fix that was supposed to close the security hole but did not.

At that point the company tweeted 'A security issue that affected TweetDeck Wednesday morning has been fixed.

'Please log out of TweetDeck and log back in to fully apply the fix.'

However, it is believed the problem continued, until the firm later tweeted: 'We've verified our security fix and have turned TweetDeck services back on for all users.

'Sorry for any inconvenience.'

Experts say the flaw could have been used to steal data.

'Cross site scripting or XSS is a type of exploit that usually works in a website or a web application. It allows the attacker to run a script on the users device, which makes XSS vulnerability so dangerous,' said George Anderson, of security firm Webroot.

The firm took to Twitter to acknowledge the bug following complaints from users

'The script is able to send any sensitive information accessible from within the browser back to the hacker, so a potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers.' 

He advised users to log out of the app and remove their saved passwords as a precaution.

'As Tweetdeck is a web app, signing out might help to contain the infection, as long as users devices are not already infected.

'Because XSS steals the cookie sign-on information, users should get rid of all saved passwords, as well as sign-in again on a secure browser session and change their logins.

'It's also best not to use TweetDeck as long as it remains infected.'

TweetDeck is a free download for desktop computers, iPhones, Google's Android devices and the Google Chrome browser.

The software allows users to organize their Twitter streams and offers a more user friendly view of Twitter feeds.

Twitter bought TweetDeck in 2011 for about $40 million.

Released in 2008, it was the first third-party Twitter application to catch on with Twitter users.