Blog Post

Updated: Tweetdeck comes back online with “verified fix” after users experience random pop-up windows

Certain users of Twitter (s twtr) platform Tweetdeck were shocked Wednesday morning to see that the app — which works via web, desktop and extensions in Chrome and Firefox — was creating pop-up alerts all by itself. The issue seemed to be affecting those who use the Tweetdeck app in Google Chrome, although mixed reports meant all versions could have been affected:

The source of the problem is thought to be caused by an XSS exploit, based on a particular pop-up that cited XSS directly. In essence, Javascript code is can be easily injected directly into an app with a security flaw, like Tweetdeck, and the app then parses the command as if it were a direct action from within it. The result, in this case, were the pop-ups visible to many:

Twitter confirmed there was a “security issue” on Tweetdeck and offered a fix: All users should log out and log back into the platform to be safe.

However, users complained that simply logging out and logging back in hadn’t fixed the pop-ups.

In light of those new complaints, Twitter later announced that all Tweetdeck services were taken down:

Twitter’s decision to take down Tweetdeck could have been fueled by a new problem that popped up in the interim: high-profile Twitter users like Jeff Jarvis  lost control of their accounts and spontaneously retweeted a script that appears to single out the XSS exploit that caused the pop-ups in the first place:

Twitter has since brought Tweetdeck back up, citing a “verified fix.”

This article was updated throughout the morning as the situation changed, including Twitter’s announcements. 

2 Responses to “Updated: Tweetdeck comes back online with “verified fix” after users experience random pop-up windows”

  1. I was using the stand-alone Windows desktop application when I got the message. It’s most than just the browser version that is affected, although I believe the desktop version is actually just a browser without any navigation shown.

    TweetDeck is likely not properly escaping HTML in tweets and someone I follow likely constructed a tweet that created the dialog box.