Tweetdeck users warned on XSS vulnerability

News by Doug Drinkwater

A new XSS vulnerability in Tweetdeck, the popular social media management platform for Twitter, could allow hackers to execute JavaScript code and even steal user credentials.

News broke, somewhat ironically, on Twitter on Wednesday evening, with several commentators detailing how the cross-site scripting vulnerability - one of the most prolific sources of security flaws in web applications - can allow anyone to tweet JavaScript code, and possibly steal account details.

Various developers have already shown via numerous screenshots on Twitter demonstrating that they can enter script>alert("Yo!");</script> to message ‘yo' to logged in users.

Tweetdeck users are advised to revoke their access to the application by going to Twitter and then visiting ‘settings' and ‘apps'. The vulnerability – which is rumoured to have been introduced by a security researcher – is currently said to only affect Tweetdeck Chrome users, with others on the Mac application and the Chrome and Firefox plug-ins reportedly unaffected.

In an email to, George Anderson, director at Webroot commented, “As Tweetdeck is a web app, signing out might help to contain the infection, as long as users devices are not already infected. Because XSS steals the cookie sign-on information, users should get rid of all saved passwords, as well as sign-in again on a secure browser session and change their login-ins. It's also best not to use Tweetdeck as long as it remains infected.”

Rapid7's Trey Ford agreed, observing in an email to “The guidance from Tweetdeck is simple and correct – log out, and log back in. One of the most common and useful XSS attacks is used to steal the user's session, effectively enabling an attacker to log in as you. Logging out will eliminate that threat."

It has been suggested that hackers could use the vulnerability as part of a larger attack, possibly sending users to malware-ridden websites, in order to steal their Tweetdeck log-in details. Anderson warned, "The script is able to send any sensitive information accessible from within the browser back to the hacker, so a potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers."

Ford adds, “Tweetdeck appears to have jumped on this issue and patched it, but we're still seeing it spread like wildfire through Twitter.  This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a “worm” that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."

This is not the first time Tweetdeck has faced XSS problems, with F-Secure researcher Mikko Hypponen detailing a similar flaw back in 2011. At the time however, the flaw was fixed almost immediately by Twitter, which has owned Tweetdeck since May 2011, when it bought the UK-based firm for £25 million.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews