TweetDeck users urged to restart app to avoid XSS attack

12 Jun, 2014

Twitter dashboard TweetDeck has plugged security hole that caused some issues yesterday

TweetDeck was forced offline after a security hole was discovered that could open up users' browsers to cross site scripting (XSS) attacks.

The vulnerability affected several high profile accounts including Labour leader Ed Miliband.

Soon after the discovery, many Twitter users managed to post tweets using the flaw to display dialogue boxes. However, the XSS flaw could allow hackers to inject javascript into web pages to access user accounts and important security information.

The vulnerability seemed to only affect TweetDeck's browser plug-in for Google Chrome. The XSS vulnerability has been reported on both Windows and Mac versions of the TweetDeck app for Chrome.

Initially, users were warned to log out and log back into TweetDeck to prevent users from being hacked. It then took the service down to assess the security issue.

“We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience," it said in a tweet. 

Trey Ford, global security strategist at IT security firm Rapid7, said that while TweetDeck appeared to have jumped on this issue and patched it, the bug was still spreading “like wildfire through Twitter."

"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet. The current attack we're seeing is a "worm" that self-replicates by creating malicious tweets," he said.

George Anderson, director of product marketing at Webroot, said that hackers could have used the flaw to send sensitive information back to them. 

"A potential attacker can gains access to the user's private information – such as passwords, usernames and card numbers,” he said.

Mikko Hypponen, the chief research officer at F-Secure, discovered a similar flaw in Tweetdeck back in 2011.