Tweetdeck vulnerability allowed attackers to execute code in 140 characters

By on


If you happen to be using Tweetdeck, then you would be wondering why you were getting random pop-up messages containing messages such as “Yo!“, “XSS in tweetdeck” and “PENIS“. That’s because users discovered a XSS vulnerability that would attackers to remotely execute JavaScript code – all through a simple tweet.

XSS (or “cross-site scripting”) vulnerabilities allow attackers to execute JavaScript code after injecting the script onto another web page viewed by others. For example, an XSS vulnerability could allow an attacker to impersonate you on a website.

However, at the time of writing, nothing malicious has used this vulnerability. Most of the time, people are using it to create pop up messages. One person, however, managed to code up a script that would retweet itself using the vulnerability.

Twitter has said they have fixed the issue. Users should log out and log back in to apply the fix.

UPDATE: Twitter has taken down all TweetDeck services to “assess” the impact of the XSS vulnerability.

Join the Conversation