Thursday saw a series of unpleasant occurrences that breached the security of several online services used by millions of users. To be specific, the alternative Twitter client known as Tweetdeck had problems with an XSS vulnerability that caused it to go down for several hours. In addition, and totally independently to the previous attack, an orchestrated DDoS attack affected networks of the likes of Evernote, Vimeo, and Feedly. In fact, the latter, as of Thursday, has been down since Wednesday.
What happened with the XSS attack on Tweetdeck?
In this case, the problem has now been fixed, and the only effect on users, besides the outage of the client for a few hours, is that they need to log in again to use it.
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014
In this case, the action done was as inoffensive as the spreading of a simple tweet, but it made clear that Tweetdeck was vulnerable to an XSS attack. The service is currently working properly and the problem has now been solved.
<script class="xss">$('.xss').parents().eq(1).find('a').eq(1).click();$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥
— *andy (@derGeruhn) June 11, 2014
The DDoS attack on Feedly and other services
The official Feedly blog has been issuing frequent updates on the event. It’s suffered a denial of service (DDoS) attack on its servers by an extortionist looking for money to lift the outage. This type of activity consists of saturating a network by taking up all its bandwidth by making thousands of requests per second, causing the network to fail until measures are taken to stop it. In this case, the attack was done at a rate of 100 gigabytes per second using several action vectors located in different places around the world.
Evernote is up and running. There may be a hiccup or two for the next 24 hours. We appreciate your patience.
— Evernote (@evernote) June 11, 2014
Feedly wasn’t the only victim, with many other popular services like Evernote, Meetup, Basecamp, Vimeo, Bit.ly and others suffered attacks. Nevertheless, except for Feedly, which should have returned to service by Friday, the rest have been completely restored without having compromised user security or data.