TweetDeck, an extremely popular application for using Twitter, is sending people messages that read “yo,” “penis,” and other silly phrases due to a security vulnerability in the app. It also caused other users to automatically retweet messages that they didn’t manually retweet.
TweetDeck XSS pic.twitter.com/tgT9w0bZ1q
— Andreas Lindh (@addelindh) June 11, 2014
TweetDeck just said “Yo!” to me pic.twitter.com/KWyspVIGeH
— Anthony Quintano (@AnthonyQuintano) June 11, 2014
Well that’s an interesting error message from @TweetDeck pic.twitter.com/5u4XLBJLhC
— Peter Bennett (@Solar_Editor) June 11, 2014
Good to know, TweetDeck. Thanks! pic.twitter.com/YJ0qQox5Ar
— Agustina Prigoshin (@AgustinaP) June 11, 2014
The reason for these and other bizarre messages is what’s called a cross-site scripting, or XSS, vulnerability with TweetDeck’s Web app and its extension in the Google Chrome browser. Before reading any further, if you use TweetDeck through either of these apps, you should go log out and revoke its access from your Twitter settings, which you can do here.
If you’re using @TweetDeck, close it NOW. There’s a killer XSS vulnerability in the wild and in use. Wait for them to give the all clear.
— Tom Scott (@tomscott) June 11, 2014
Log out of https://t.co/SlWijVBqMi until this scripting security bug is fixed: <script>alert(“XSS in tweetdeck”);</script>
— Chris Williams (@diodesign) June 11, 2014
Internet and social media expert Tom Scott, whose tweet is above, went on to describe the scripting issue “an absolutely staggering security hole” in a blog post. He explained that the vulnerability could allow hacker to take actions ranging from making weird messages appear (as seen above) to potentially gaining complete control of someone’s account.
One user figured out how to send a tweet that would automatically be retweeted by all followers using vulnerable TweetDeck apps. The tweet sparked an automated chain reaction that caused it to accumulate more than 40,000 retweets in about 20 minutes. The number of retweets has been slowly declining as more inadvertent retweeters undo the action.
Twitter, which purchased TweetDeck in 2011 for about $40 million, initially said that it had patched the vulnerability.
“We’re aware of the issue, and it is now fixed,” Twitter spokeswoman Rachel Millner told the Daily Dot in an email. “Users should log out of TweetDeck and log back in to make sure the fix is fully applied.”
Soon after, however, Millner followed up by sending a link to this tweet as an update:
We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014
It seems we’re not out of the woods quite yet. This is a developing story. We will continue to provide updates as we learn more.
Update: The TweetDeck team says that it has patched the XSS vulnerability and restored functionality to all affected apps.
We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014
Update 2: Turns out, the whole TweetDeck “hack” was an accident committed by at 19-year-old Austrian kid named Florian. He just wanted to add heart shapes to his tweets in a new way. (Really.)
Photo by Uncalno Tekno/Flickr (CC BY 2.0)