This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Tweetdeck users warned on XSS vulnerability

Share this article:

A new XSS vulnerability in Tweetdeck, the popular social media management platform for Twitter, could allow hackers to execute JavaScript code and even steal user credentials.

Tweetdeck users warned on XSS vulnerability
Tweetdeck users warned on XSS vulnerability

News broke, somewhat ironically, on Twitter on Wednesday evening, with several commentators detailing how the cross-site scripting vulnerability - one of the most prolific sources of security flaws in web applications - can allow anyone to tweet JavaScript code, and possibly steal account details.

Various developers have already shown via numerous screenshots on Twitter demonstrating that they can enter script>alert("Yo!");</script> to message ‘yo' to logged in users.

Tweetdeck users are advised to revoke their access to the application by going to Twitter and then visiting ‘settings' and ‘apps'. The vulnerability – which is rumoured to have been introduced by a security researcher – is currently said to only affect Tweetdeck Chrome users, with others on the Mac application and the Chrome and Firefox plug-ins reportedly unaffected.

In an email to SCMagazineUK.com, George Anderson, director at Webroot commented, “As Tweetdeck is a web app, signing out might help to contain the infection, as long as users devices are not already infected. Because XSS steals the cookie sign-on information, users should get rid of all saved passwords, as well as sign-in again on a secure browser session and change their login-ins. It's also best not to use Tweetdeck as long as it remains infected.”

Rapid7's Trey Ford agreed, observing in an email to SCMagazineUK.com “The guidance from Tweetdeck is simple and correct – log out, and log back in. One of the most common and useful XSS attacks is used to steal the user's session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat."

It has been suggested that hackers could use the vulnerability as part of a larger attack, possibly sending users to malware-ridden websites, in order to steal their Tweetdeck log-in details. Anderson warned, "The script is able to send any sensitive information accessible from within the browser back to the hacker, so a potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers."

Ford adds, “Tweetdeck appears to have jumped on this issue and patched it, but we're still seeing it spread like wildfire through Twitter.  This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a “worm” that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."

This is not the first time Tweetdeck has faced XSS problems, with F-Secure researcher Mikko Hypponen detailing a similar flaw back in 2011. At the time however, the flaw was fixed almost immediately by Twitter, which has owned Tweetdeck since May 2011, when it bought the UK-based firm for £25 million.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

StubHub ticketing agency taken for a million pounds

StubHub ticketing agency taken for a million pounds

Police around the world have arrested seven people - thought to have tied into an international fraud ring - that allegedly defrauded the eBay-owned StubHub online ticketing service of around ...

DDoS attacks grow as first DIY kits emerge

DDoS attacks grow as first DIY kits emerge

The latest report from Akamai Technologies has revealed another increase in DDoS attacks and the resurgence of botnets to carry out server-based attacks.

WordPress plugin flaw opens blogs up to cybercriminals

WordPress plugin flaw opens blogs up to cybercriminals

A WordPress plugin called MailPoet - which has been downloaded around 1.7 million times - has placed large numbers of WordPress-based websites at risk of incursion.