TweetDeck users urged to restart app to avoid XSS attack


TweetDeck was forced offline after a security hole was discovered that could open up users' browsers to cross site scripting (XSS) attacks.

The vulnerability affected several high profile accounts including Labour leader Ed Miliband.

Soon after the discovery, many Twitter users managed to post tweets using the flaw to display dialogue boxes. However, the XSS flaw could allow hackers to inject javascript into web pages to access user accounts and important security information.

We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.TweetDeck (@TweetDeck) June 11, 2014

The vulnerability seemed to only affect TweetDeck's browser plug-in for Google Chrome. The XSS vulnerability has been reported on both Windows and Mac versions of the TweetDeck app for Chrome.

Initially, users were warned to log out and log back into TweetDeck to prevent users from being hacked. It then took the service down to assess the security issue.

"We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience," it said in a tweet.

Trey Ford, global security strategist at IT security firm Rapid7, said that while TweetDeck appeared to have jumped on this issue and patched it, the bug was still spreading "like wildfire through Twitter."

"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a "worm" that self-replicates by creating malicious tweets," he said.

George Anderson, director of product marketing at Webroot, said that hackers could have used the flaw to send sensitive information back to them.

"A potential attacker can gains access to the user's private information such as passwords, usernames and card numbers," he said.

Mikko Hypponen, the chief research officer at F-Secure, discovered a similar flaw in Tweetdeck back in 2011.

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.