Users are directed to log out and log back in to activate the fix
The vulnerability targets XSS, short for "cross-site scripting," one of the most prolific sources of security flaws in web applications. Researchers have reported XSS vulnerabilities in TweetDeck in the past, most notably Mikko Hypponen in 2011, but developers reported the vulnerability as fixed almost immediately, and most believed it to be a closed issue. It's still unclear how the vulnerability resurfaced.
wtf?! pic.twitter.com/B18fUIat2j— Kevin Smith (@OfficialKLS) June 11, 2014
One attack used the vulnerability to trigger TweetDeck's Retweet command, causing any vulnerable client to automatically retweet the string to its followers. The result was the Twitter equivalent of a worm, spreading from account to account. Many popular accounts were hit by the bug, including @NYTimesBusiness, @Vulture, @ScienceNews, @YourAnonNews, @Salon, and @SFGate.
Still, as explained by Timothy B. Lee, the structure of TweetDeck means the bug can only work within TweetDeck's normal permissions, seriously limiting the potential fallout. So while the retweet worm wreaked havoc among social media managers, it appears to have left more sensitive data and infrastructure untouched.