Twitter has finally fixed the TweetDeck bug that has been plaguing the app for today, forcing millions of users to switch off their TweetDeck account and move back to the old Twitter interface, something we know fans of third party Twitter applications hate to do.
The TweetDeck vulnerability allowed hackers to remotely execute JavaScript code, forcing pop-ups on the Web application. This vulnerability comes from cross-site scripting (XSS), an issue that has hit multiple Web applications and has been a problem on TweetDeck in the past.
Twitter took down all versions of TweetDeck earlier today, citing issues with the Web application. Throughout the downtime Twitter remained silent on the issue, but after it was fixed they did release a statement regarding TweetDeck and asked users to log out and log back in.
For those who have not logged out and back in, the vulnerability is still out there and capable of attacking the Twitter account. From what we know, the attack cannot find information on the user, but is capable of sending out tweets, liking, favouriting and retweeting without user consent.
The attack only damaged Web users, although cases of the TweetDeck Windows app have been reported. Mobile users are still being told to log out and back in again, in case any attacks or vulnerability sprout up pre-patch.
<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>♥
— *andy (@derGeruhn) June 11, 2014
The tweets posted at the time all contained the same sort of code and it caused a lot of confusion on Twitter, with most not realising it was a vulnerability in TweetDeck and thought the person was speaking in code for some weird reason.
This is yet another vulnerability on the Web due to the open nature of content and security. The SSL issue might be larger for the whole Web, but for Twitter having XSS issues could be the death of a service like TweetDeck, if it happens again.