This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Tweetdeck users warned on XSS vulnerability

Share this article:

A new XSS vulnerability in Tweetdeck, the popular social media management platform for Twitter, could allow hackers to execute JavaScript code and even steal user credentials.

Tweetdeck users warned on XSS vulnerability
Tweetdeck users warned on XSS vulnerability

News broke, somewhat ironically, on Twitter on Wednesday evening, with several commentators detailing how the cross-site scripting vulnerability - one of the most prolific sources of security flaws in web applications - can allow anyone to tweet JavaScript code, and possibly steal account details.

Various developers have already shown via numerous screenshots on Twitter demonstrating that they can enter script>alert("Yo!");</script> to message ‘yo' to logged in users.

Tweetdeck users are advised to revoke their access to the application by going to Twitter and then visiting ‘settings' and ‘apps'. The vulnerability – which is rumoured to have been introduced by a security researcher – is currently said to only affect Tweetdeck Chrome users, with others on the Mac application and the Chrome and Firefox plug-ins reportedly unaffected.

In an email to, George Anderson, director at Webroot commented, “As Tweetdeck is a web app, signing out might help to contain the infection, as long as users devices are not already infected. Because XSS steals the cookie sign-on information, users should get rid of all saved passwords, as well as sign-in again on a secure browser session and change their login-ins. It's also best not to use Tweetdeck as long as it remains infected.”

Rapid7's Trey Ford agreed, observing in an email to “The guidance from Tweetdeck is simple and correct – log out, and log back in. One of the most common and useful XSS attacks is used to steal the user's session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat."

It has been suggested that hackers could use the vulnerability as part of a larger attack, possibly sending users to malware-ridden websites, in order to steal their Tweetdeck log-in details. Anderson warned, "The script is able to send any sensitive information accessible from within the browser back to the hacker, so a potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers."

Ford adds, “Tweetdeck appears to have jumped on this issue and patched it, but we're still seeing it spread like wildfire through Twitter.  This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a “worm” that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."

This is not the first time Tweetdeck has faced XSS problems, with F-Secure researcher Mikko Hypponen detailing a similar flaw back in 2011. At the time however, the flaw was fixed almost immediately by Twitter, which has owned Tweetdeck since May 2011, when it bought the UK-based firm for £25 million.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Google and Facebook offer free cyber-security tools

Google and Facebook offer free cyber-security tools

Google and Facebook have both launched free open-source cyber-security tools this week, designed to help security professionals spot malware and cyber-attacks.

Mixed results for key Government cyber-initiatives

Mixed results for key Government cyber-initiatives

The Government's Verify scheme to confirm IDs is behind scheuduled uptake, but its CISP threat intelligence sharing scheme is ahead of target.

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...