Twitter's useful TweetDeck app is vulnerable to a cross-site-scripting (XSS) flaw that a lot of people have run in to today.
While browsing today, my TweetDeck tab in Google Chrome came to the front by itself with a message simply saying "XSS in TweetDeck". At the same time, my co-worker Jari sent me a link to a tweet that - when combined with TweetDeck - would automatically Re-tweet the message and spread.
Here is a screenshot of the tweet, before it is inevitably taken offline
It appears that to be affected by it, all you need is for it to appear in your timeline in TweetDeck at least in Google's Chrome browser. In our case, it was re-tweeted by an Adobe account, which then exploited the flaw in Jari's TweetDeck to retweet it, and then it showed up in my timeline and I retweeted it.
Of course, you can manually "un-retweet" it if you visit the actual tweet in a browser and just click the RT button again so it is no longer green. Here is the direct link, which should be safe to open in a browser.
You will know if you have been affected by this problem in Chrome if you see something like this...
This particular bit of code doesn't seem that serious on the surface, but as it spread it will cause a nightmare for tweetdeck users. In my case, my Chrome browser threads had to be manually killed to get away from TweetDeck. The code could also, at any point, be made more malicious. This one needs to be fixed ASAP.
UPDATE: TweetDeck has fixed the problem.
Here is a screenshot of the tweet, before it is inevitably taken offline
It appears that to be affected by it, all you need is for it to appear in your timeline in TweetDeck at least in Google's Chrome browser. In our case, it was re-tweeted by an Adobe account, which then exploited the flaw in Jari's TweetDeck to retweet it, and then it showed up in my timeline and I retweeted it.
Of course, you can manually "un-retweet" it if you visit the actual tweet in a browser and just click the RT button again so it is no longer green. Here is the direct link, which should be safe to open in a browser.
You will know if you have been affected by this problem in Chrome if you see something like this...
This particular bit of code doesn't seem that serious on the surface, but as it spread it will cause a nightmare for tweetdeck users. In my case, my Chrome browser threads had to be manually killed to get away from TweetDeck. The code could also, at any point, be made more malicious. This one needs to be fixed ASAP.
UPDATE: TweetDeck has fixed the problem.
We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014
Tags:
TweetDeck
