The Inquirer-Home
Software > Security

A Trojan hits Adobe Air Tweetdeck

Updated Sandbox security is not much
By Spencer Dalziel
Tue Aug 31 2010, 15:21

HACKERS HAVE UPDATED a Trojan virus that bypasses sandbox insecurity on Adobe Air apps like Tweet Deck.

We thought Adobe had learnt its lesson with the dependently exploitable Flash but it looks like Trojan attacks on Air say otherwise. Senior tech consultant at Sophos, Graham Cluley blogged yesterday about a fake Tweetdeck update that preys on Twitter users. Hackers used the bank holiday weekend to get users to click on loaded links for the fake critical Tweetdeck update that was a Trojan.

"The tweets are being posted from hacked Twitter accounts, and do not link to a legitimate update for TweetDeck", said Cluley. "Instead, unsuspecting users are putting themselves at risk of infection by a Trojan horse."

Twitter sent out a safety update yesterday, warning users not to download anything. "We're sending password resets to accounts posting a fake TweetDeck update; don't download that file!"

Cluley reckoned the hackers got away with the updated attack because Twitter stopped supporting, "basic authentication in their API today, meaning users have to be using a Twitter client which uses OAuth".

But the real loser here is the security on Adobe's Air. Tweetdeck was developed on Air, which Adobe designed with integrated sandboxing to limit Trojan attacks amongst other security features. Adobe said itself that Air apps need to be digitally signed. "The only way to instill confidence in the end user is by requiring developers to digitally sign their applications with a security certificate from a trusted third-party vendor," said Adobe.

However the most embarrassing issue, aside from the ability to self-sign certificates is the fact that a simple link is all that is needed to circumvent the security of Air's sandbox. Adobe told the INQUIRER, "If you choose to click on a link within the application, then it will open your default Web browser and take you to the site specified in the URL/link. At that point, you are surfing the Web through your Web browser, and TweetDeck, and consequently the AIR runtime, is no longer involved."

So while Adobe's sandbox may indeed provide some resemblance of security, one link is all that is required to sucker in users over the bank holiday. µ

Share this:

< Previous article| Next article >
Comments
What does this have to do with Tweetdeck?

This has nothing to do with Tweetdeck other than someone using the name. That's like saying someone who tweets about a "Critical Microsoft patch!" has hacked Windows.
No one hacked TweetDeck (the Trojan isn't even an AIR application), and digital signing can only be done if the hackers get their hands on the original certificate. Since neither of these happened, 90% of this article is completely incorrect. Please stop blaming Adobe for your ignorance.

posted by : Patrick, 01 September 2010 Complain about this comment
Intrinsic

Adobe's Flash is the most successful resource-consuming trojan set loose on Internet, and a lot of people pay for it.

posted by : mycelo, 01 September 2010 Complain about this comment
How is this anything to do with Air security?

The program that people are downloading is called "tweetdeck-08302010-update.exe"(*). It's just a completely ordinary executable(**) that pretends to be something to do with tweetdeck but isn't. Since it isn't really an Air application, Adobe's Air installer doesn't even come into the picture.

Also, according to the Adobe devnet page you linked to(***), self-signed certs don't work, unless somehow you managed to get the user to install your self-generated CA cert into their root cert store first: to quote,

"Note: There's also a way for a developer to self-sign an Adobe AIR application so they can test it, but when the AIR runtime tries installing the application, it presents the user with a big old UNKOWN publisher warning, see Figure 1(****). (Unless, of course, your user has installed your self-signed certificate on his or her machine.)"

It's surely incorrect to describe a self-certified cert as "trusted" when it pops up a huge great warning like that; and as I pointed out, it's not Adobe Air's fault that completely unrelated applications can run and install themselves on the machine.

Update/clarification needed?

=======================================
(*) - http://support.tweetdeck.com/entries/249941-do-not-download-fake-tweetdeck-update-appearing-on-twitter
(**) - http://www.virustotal.com/file-scan/report.html?id=73a57edb2e301b0bff4c5f301e160aa433f8abae737bf0cd4dc1e4c44e1a05dd-1283261376
(***) - http://www.adobe.com/devnet/air/articles/signing_air_applications_print.html
(****) - http://www.adobe.com/devnet/air/articles/signing_air_applications/fig01.jpg

posted by : DaveK, 31 August 2010 Complain about this comment
aboutus
Advertisement
Subscribe to INQ newsletters
Click here to sign up Existing user
INQ White papers

Databases

Network management

Security

Service oriented architecture

Storage
Advertisement
INQ Jobs
INQ Poll

Authorities in several countries raided Megaupload recently, shut down all of its services, seized hundreds of servers and arrested several of its executives on criminal charges.

Do you think the move was justified?

View other polls
Follow us:
Business & Technology websites:
Business research resources:
Products:
Investment Market IT websites:
Find out what you are worth:
Search for a job:
Recruitment Agency A-Z Directory
Accreditations: