This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Tweetdeck users warned on XSS vulnerability

Share this article:

A new XSS vulnerability in Tweetdeck, the popular social media management platform for Twitter, could allow hackers to execute JavaScript code and even steal user credentials.

Tweetdeck users warned on XSS vulnerability
Tweetdeck users warned on XSS vulnerability

News broke, somewhat ironically, on Twitter on Wednesday evening, with several commentators detailing how the cross-site scripting vulnerability - one of the most prolific sources of security flaws in web applications - can allow anyone to tweet JavaScript code, and possibly steal account details.

Various developers have already shown via numerous screenshots on Twitter demonstrating that they can enter script>alert("Yo!");</script> to message ‘yo' to logged in users.

Tweetdeck users are advised to revoke their access to the application by going to Twitter and then visiting ‘settings' and ‘apps'. The vulnerability – which is rumoured to have been introduced by a security researcher – is currently said to only affect Tweetdeck Chrome users, with others on the Mac application and the Chrome and Firefox plug-ins reportedly unaffected.

In an email to SCMagazineUK.com, George Anderson, director at Webroot commented, “As Tweetdeck is a web app, signing out might help to contain the infection, as long as users devices are not already infected. Because XSS steals the cookie sign-on information, users should get rid of all saved passwords, as well as sign-in again on a secure browser session and change their login-ins. It's also best not to use Tweetdeck as long as it remains infected.”

Rapid7's Trey Ford agreed, observing in an email to SCMagazineUK.com “The guidance from Tweetdeck is simple and correct – log out, and log back in. One of the most common and useful XSS attacks is used to steal the user's session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat."

It has been suggested that hackers could use the vulnerability as part of a larger attack, possibly sending users to malware-ridden websites, in order to steal their Tweetdeck log-in details. Anderson warned, "The script is able to send any sensitive information accessible from within the browser back to the hacker, so a potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers."

Ford adds, “Tweetdeck appears to have jumped on this issue and patched it, but we're still seeing it spread like wildfire through Twitter.  This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a “worm” that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."

This is not the first time Tweetdeck has faced XSS problems, with F-Secure researcher Mikko Hypponen detailing a similar flaw back in 2011. At the time however, the flaw was fixed almost immediately by Twitter, which has owned Tweetdeck since May 2011, when it bought the UK-based firm for £25 million.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

China refutes new FBI hacking claims

China refutes new FBI hacking claims

It's been another week of claims and counterclaims as the US and Chinese governments accuse each other of deviant cyber security practices.

SC Exclusive: Bank of England to appoint new CISO in January

SC Exclusive: Bank of England to appoint new ...

Bank of England Chief Information Security Officer (CISO) Don Randall is to leave his post in the New Year to take up an unspecified supervisory role, with William Brandon set ...

Sandworm vulnerability seen targeting SCADA-based systems

Sandworm vulnerability seen targeting SCADA-based systems

Hard on the heels of the `Sandworm' spy group revealed by iSIGHT Partners earlier in the week, Trend Micro says its has spotted the zero-day vulnerability of the same name ...