If you happen to be using Tweetdeck, then you would be wondering why you were getting random pop-up messages containing messages such as “Yo!“, “XSS in tweetdeck” and “PENIS“. That’s because users discovered a XSS vulnerability that would attackers to remotely execute JavaScript code – all through a simple tweet.
XSS (or “cross-site scripting”) vulnerabilities allow attackers to execute JavaScript code after injecting the script onto another web page viewed by others. For example, an XSS vulnerability could allow an attacker to impersonate you on a website.
However, at the time of writing, nothing malicious has used this vulnerability. Most of the time, people are using it to create pop up messages. One person, however, managed to code up a script that would retweet itself using the vulnerability.
<script>alert(“XSS in tweetdeck”);</script>♥
— freakyclown (@__Freakyclown__) June 11, 2014
The Mac application for Tweetdeck does not appear to be vulnerable to the XSS. Confirmed in Chrome though. <script>alert(“Yo!”);</script>♥
— Frederic Jacobs (@FredericJacobs) June 11, 2014
TWEETDECK HACKEADO pic.twitter.com/jueURDt2Jz
— BrainWareIT (@BrainWareIT) June 11, 2014
<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>♥
— *andy (@derGeruhn) June 11, 2014
Twitter has said they have fixed the issue. Users should log out and log back in to apply the fix.
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014
UPDATE: Twitter has taken down all TweetDeck services to “assess” the impact of the XSS vulnerability.
We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014