2 Comments

Summary:

Avid users of Tweetdeck should log out and revoke access now, as an XSS exploit seems to have granted hackers access to the platform.

Certain users of Twitter platform Tweetdeck were shocked Wednesday morning to see that the app — which works via web, desktop and extensions in Chrome and Firefox — was creating pop-up alerts all by itself. The issue seemed to be affecting those who use the Tweetdeck app in Google Chrome, although mixed reports meant all versions could have been affected:

The source of the problem is thought to be caused by an XSS exploit, based on a particular pop-up that cited XSS directly. In essence, Javascript code is can be easily injected directly into an app with a security flaw, like Tweetdeck, and the app then parses the command as if it were a direct action from within it. The result, in this case, were the pop-ups visible to many:

Twitter confirmed there was a “security issue” on Tweetdeck and offered a fix: All users should log out and log back into the platform to be safe.

However, users complained that simply logging out and logging back in hadn’t fixed the pop-ups.

In light of those new complaints, Twitter later announced that all Tweetdeck services were taken down:

Twitter’s decision to take down Tweetdeck could have been fueled by a new problem that popped up in the interim: high-profile Twitter users like Jeff Jarvis  lost control of their accounts and spontaneously retweeted a script that appears to single out the XSS exploit that caused the pop-ups in the first place:

Twitter has since brought Tweetdeck back up, citing a “verified fix.”

This article was updated throughout the morning as the situation changed, including Twitter’s announcements. 

You’re subscribed! If you like, you can update your settings

Comment

Community guidelines
Saturday, August 30, 2014
you are commenting using your account. Sign out / Change

Comment using:

Or comment as a guest

Be sure to review our Community Guidelines. By continuing you are agreeing to our Terms of Service and Privacy Policy.

2 Comments

  1. I was using the stand-alone Windows desktop application when I got the message. It’s most than just the browser version that is affected, although I believe the desktop version is actually just a browser without any navigation shown.

    TweetDeck is likely not properly escaping HTML in tweets and someone I follow likely constructed a tweet that created the dialog box.

  2. I got an XSS alert using Tweetdeck on Firefox.