Three wildly popular web applications suffered a series of security crises on Wednesday, once again highlighting the ease with which malicious computer users can cause widespread – even if temporary – havoc on the Internet.
Evernote, Feedly and TweetDeck, all suffered temporary outages on Wednesday as a result of several attacks on and exploits of their digital infrastructure. Evernote, an online note-taking app with more than 100 million users, and Feedly, a news aggregation service with about 15 million users, were hit with a denial of service attack. TweetDeck, a Twitter application owned by the microblogging service itself, was forced to fix a vulnerability in its software that allowed certain kinds of tweets to run potentially malicious code.
Both Evernote and Feedly appear to have been hit by a type of attack known as distributed denial of service. In a DDoS attack, a malicious user attempts to, in effect, overwhelm a website or service by inundating it with useless information.
By utilizing a massive network of private computers infected with malicious software, a DDoS attack can temporarily cripple a web site, although the attack rarely causes any long-lasting damage, and is relatively useless for capturing sensitive user data such as passwords or credit card numbers. The attack is in many ways analogous to millions of people calling the same customer service phone number at the same time – the system may become temporarily unavailable, but once the influx dies down, the issue tends to resolve itself.
In the case of Feedly (and possibly Evernote as well), Wednesday’s attack appeared to be part of a kind of digital hostage-taking.
“Criminals are attacking Feedly with a distributed denial of service attack,” the company said on its blog. “The attacker is trying to extort us money to make it stop. We refused to give in and are working with our network providers to mitigate the attack as best as we can.”
Tweetdeck, a popular application for Twitter, also suffered a serious security breach. Using a vulnerability known as cross-site scripting, malicious hackers were able to insert code into certain tweets, which could then compromise a user’s account. The Twitter website and application itself is designed to prevent such scripting. However, it appears that TweetDeck never got around to closing that loophole.
On Wednesday, many users complained that the exploit was causing accounts to retweet a message without the users’ permission. A Twitter user decided to show just how effective the TweetDeck exploit was by creating a tweet that automatically retweeted itself. By the afternoon, that message had been retweeted about 84,000 times.
“Twitter have just had a self-retweeting tweet, which should never have happened,” said technology and social media expert Tom Scott, who produced a video detailing how the TweetDeck exploit worked. “I mean, this is web security 101: If you don’t know this stuff, you shouldn’t be designing commercial web pages.”
Twitter, which bought TweetDeck in 2011 for about $40-million (U.S.), initially said it had fixed the problem, but subsequently was forced to take TweetDeck offline temporarily as it implemented another fix. Later in the day, the company said it had verified that the solution worked, and restarted TweetDeck.