If you were sitting around just a minute ago watching the On the Media Twitter feed, you might have seen On the Media retweet this:
<script class="xss">$('.xss').parents().eq(1).find('a').eq(1).click();$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥— *andy (@derGeruhn) June 11, 2014
The thing is, On the Media didn't initiate this retweet, and it's a safe bet that the nearly 40,000 other accounts who unwittingly retweeted this didn't either. Everyone who noticed this tweet had one thing in common - they were using Tweetdeck to manage their social media accounts. Tweetdeck has yet to explain what happened, only saying that an issue has been resolved.
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.— TweetDeck (@TweetDeck) June 11, 2014
We'll update this article as information comes in.
Update 1: Users are complaining that Tweetdeck has not resolved the issue and people are still seeing fake retweets in their name.
Log in/out does not help, still seeing XSS in @Tweetdeck warning, fake RT's in my name— Zoli Erdos (@ZoliErdos) June 11, 2014
Update 2: TweetDeck has taken its services offline to explore the problem.
We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014
Update 3: According to some twitter users, they are getting Rickrolled by Tweetdeck error messages. Sure seems like Rickrolling has seen a resurgence in the past couple days.
hackers from 2007 are currently rickrolling ppl on TweetDeck tho pic.twitter.com/HfO03OiLjy
— Anthony B. L. Smith (@AnthonyBLSmith) June 11, 2014
Update 4: Other Twitter users are reporting similarly cheeky/vulgar/infantile error messages:
Tweetdeck XSS pic.twitter.com/tgT9w0bZ1q— Andreas Lindh (@addelindh) June 11, 2014
Update 5: Tweetdeck says it has turned its service back on.
We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.— TweetDeck (@TweetDeck) June 11, 2014
Update 6: Turns out there wasn't any one person doing the hacking on Tweetdeck. From The Verge:
It looks as though @derGeruhn, the twitter user at the top of this post was just the most successful exploiter of this exploit. His most recent conversation is someone talking to him about originating the exploit (tweets translated by WNYC's Ilya Marritz and Studio 360's Sruthi Pinnamaneni):
@LokiMorgenstern: Private thought: If one had already know that about @derGeruhn, one could have asked him to let #ZKK15 trend up.
@derGeruhn: @LokiMorgenstern Had I known that things would go so crass, I would have packed the alert with news/messages that were more fun.
And now we know the story behind the tweetdeck hack, thanks to CNN Money. It's an interesting story. Check it out.