Twitter has managed to stay out of the hacking news this year -- until now. The micro-blogging platform plugged a security
flaw in its TweetDeck application this week, but revelations about the fallout continue.
"We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up," was the message people read when they logged into the service during the breach. But that's nothing compared with this: TweetDeck's systems randomly re-tweeted messages that contained could-be malicious code.
It all started with a tweet of a heart symbol loaded with a string of code. A 19-year-old computer geek in Austria named Florian coded the heart symbol using "&hearts." Little did he know it would behave like a worm, spreading far and wide. Florian told CNN he was just experimenting when he realized the heart symbol opened a back door to TweetDeck's software.
Wasn't a Hack
"It wasn't a hack. It was some sort of accident," he told CNN. The problem was he shared that information with the world and it drove a mass TweetDeck hijacking. According to CNN, one message from Twitter user @derGeruhn was shared more than 37,000 times.
"A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix," Twitter tweeted after solving the problem.
Although Twitter fixed the code issue quickly, CNN said it was affected and The Telegraph is reporting that the hack also compromised the Twitter accounts of the BBC and the White House.
Florian, who declined to give his name to the media due to privacy concerns, refuses to take the blame: "It's a pity that many people believe that in some way I 'hacked' TweetDeck and shut it down. I was getting lots of hate messages. Why? Because I reported a serious security bug?"
We caught up with Chester Wisniewski, senior security adviser at Sophos, to get his take on whether or not Florian was irresponsible to disclose the code publicly and what this really says about online security. He told us Florian may have been somewhat irresponsible, and it says plenty about online security.
"It seems Florian's intent was entirely innocent and he didn't himself craft a worm. He claims to have notified Twitter as well," Wisniewski said. "The unknown variable is who shared the trick with the people who meant to cause harm. He could have been quieter about it, but he seems honest enough."
As far as online security, Wisniewski said this incident shows that HTML was not intended to be an application programming language. Ajax and other code that has been layered onto it to make it capable of executing programs is a massive hack, and it is insanely easy to make a mistake that can be exploited.
"Writing Web programs is incredibly complicated because it was never meant to be done," Wisniewski said. "As specifications move forward and mature, hopefully we will have a more solid and appropriate base to build upon now that we see the importance of 'cloud computing' to the future."