Running TweetDeck? It may have been hijacked by tweets containing attack code.

Twitter on Wednesday was briefly overrun by a powerful computer worm that caused tens of thousands of users to tweet a message that contained self-propagating code exploiting a bug in the TweetDeck app.

Within a few hours, the cross-site scripting (XSS) attack caused at least 84,700 users to retweet a single message originally transmitted by the user @derGeruhn. The body of the message contained JavaScript commands that caused anyone viewing it in TweetDeck to automatically retweet it. The message spread virally. The more times it was retweeted, the more times it was viewed and retweeted by other people using the vulnerable app. The BBC News Twitter account alone pushed the message to 10.1 million followers.

It's by no means the first time a worm has slithered through Twitter. Worms based on clickjacking exploits and XSS attacks were documented as long ago as 2009 and were also used maliciously in 2011 to spread scam messages.
Filter bypass exploits like cockroaches

The out-of-control tweets were the result of a software flaw that prevented TweetDeck from properly filtering code out of messages it displayed. As a result, the app executed JavaScript commands transmitted in message bodies that contained commands for retweeting the message. The episode underscores the vexing difficulty of eliminating XSS vulnerabilities from websites and end-user apps. Even when developers erect defenses that filter out harmful code from user-supplied content, there are frequently ways to circumvent them.

"The filter bypass in this case was a little tricky," Jeremiah Grossman, CEO of WhiteHat Security, told Ars. "Cross site scripting is a cockroach. It's all but impossible to exterminate completely. No matter how hard you try and how much you invest, you're going to make mistakes."

The Twitter worms that have publicly surfaced over the past few years have been relatively benign. More often than not, they have been little more than pranks, or at worst a platform for scam-fueled spam. There's a much darker side to XSS attacks, since they often make it possible for attackers to remotely obtain the authentication tokens and cookies online services use to grant access to user accounts or other restricted parts of a site. In April, researchers documented an XSS flaw that corralled 22,000 visitors into a botnet of DDoS zombies.

And even when XSS attacks appear to be benign, they often create huge strains on a website's servers. The so-called Samy Worm of 2005, for instance, allowed its creator, Samy Kamkar, to spontaneously gain more than 1 million MySpace followers. In the process, it knocked the site out of commission for a day.

There's no indication that anything nefarious happened Wednesday, but since such attacks can often be launched in a stealthy way, there's no way to immediately rule out the possibility. Out of an abundance of caution, TweetDeck users who were logged in on Wednesday should reset the passwords for both their TweetDeck and Twitter accounts. Officials with the Twitter-owned TweetDeck declared the bug fixed shortly after it surfaced. They later suspended service to investigate further and finally verified the fix and restored service.