Skip to main content

TweetDeck vulnerability lets attackers execute code remotely

TweetDeck vulnerability lets attackers execute code remotely

Share this story

Today, a newly discovered vulnerability in TweetDeck allowed attackers to remotely execute javascript code. Users reported pop-up windows reading "Yo!" or "Please close now TweetDeck [sic], it is not safe." Twitter took down all versions of TweetDeck until the bug could be fixed, but has now restored the app, reporting that their fix is working as intended. Users are directed to log out of their accounts and log back in to activate the fix.

Users are directed to log out and log back in to activate the fix

When clients are left unpatched, the attacks lets users execute their own javascript code elsewhere in the browser. So far, most of the reported exploits have been simple pop-up messages, but the potential does exist for more intricate attacks. The vulnerability is believed to be confined to web-based versions of TweetDeck, but other users have reported similar attacks in TweetDeck's Windows app.

The vulnerability targets XSS, short for "cross-site scripting," one of the most prolific sources of security flaws in web applications. Researchers have reported XSS vulnerabilities in TweetDeck in the past, most notably Mikko Hypponen in 2011, but developers reported the vulnerability as fixed almost immediately, and most believed it to be a closed issue. It's still unclear how the vulnerability resurfaced.

One attack used the vulnerability to trigger TweetDeck's Retweet command, causing any vulnerable client to automatically retweet the string to its followers. The result was the Twitter equivalent of a worm, spreading from account to account. Many popular accounts were hit by the bug, including @NYTimesBusiness, @Vulture, @ScienceNews, @YourAnonNews, @Salon, and @SFGate.

Still, as explained by Timothy B. Lee, the structure of TweetDeck means the bug can only work within TweetDeck's normal permissions, seriously limiting the potential fallout. So while the retweet worm wreaked havoc among social media managers, it appears to have left more sensitive data and infrastructure untouched.