Thursday saw a series of unpleasant occurrences that breached the security of several online services used by millions of users. To be specific, the alternative Twitter client known as Tweetdeck had problems with an XSS vulnerability that caused it to go down for several hours. In addition, and totally independently to the previous attack, an orchestrated DDoS attack affected networks of the likes of Evernote, Vimeo, and Feedly. In fact, the latter, as of Thursday, has been down since Wednesday.

What happened with the XSS attack on Tweetdeck?

In this case, the problem has now been fixed, and the only effect on users, besides the outage of the client for a few hours, is that they need to log in again to use it.

An XSS attack uses an injection of malicious code normally applied to services and web apps, usually via hyperlinks or tags in JavaScript or similar languages, that spark an action whose affect you don’t know. In this case, the chain reaction was a tweet that was automatically retweeted to all your contacts, affecting thousands of accounts in a few minutes. This is the code in question:

In this case, the action done was as inoffensive as the spreading of a simple tweet, but it made clear that Tweetdeck was vulnerable to an XSS attack. The service is currently working properly and the problem has now been solved.

The DDoS attack on Feedly and other services

The official Feedly blog has been issuing frequent updates on the event. It’s suffered a denial of service (DDoS) attack on its servers by an extortionist looking for money to lift the outage. This type of activity consists of saturating a network by taking up all its bandwidth by making thousands of requests per second, causing the network to fail until measures are taken to stop it. In this case, the attack was done at a rate of 100 gigabytes per second using several action vectors located in different places around the world.

Feedly wasn’t the only victim, with many other popular services like Evernote, Meetup, Basecamp, Vimeo, Bit.ly and others suffered attacks. Nevertheless, except for Feedly, which should have returned to service by Friday, the rest have been completely restored without having compromised user security or data.