TweetDeck suffers from xss bug – update

TweetDeck, Twitter’s official power user client, contains an xss bug. This potentially makes it possible for malicious parties to automatically post tweets, for example. The normal Twitter site is not affected.

The bug can be used arbitrarily: tweets appear to be parsed in TweetDeck as normal html, so adding a javascript to a tweet is enough to run the javascript code. In theory, this means that a malicious person can automatically post a tweet by tweeting javascript code to someone. Followers could also be removed.

As a proof-of-concept, a German twitterer created a tweet that is automatically retweeted when a TweetDeck user sees it passing by; At the time of writing, that post has already been retweeted 39,000 times.

It is not clear which versions are vulnerable. In any case, the web version of TweetDeck is vulnerable; the OS X app is not. It is unclear whether the Windows version is vulnerable. Security researcher Frederik Jacobs stilt that in this case it is not possible to steal cookies, which is the case with some xss bugs. Despite this, security researchers advise against using TweetDeck for the time being.

In 2010, the Twitter website faced a similar problem. In addition, malicious parties could use an onMouseOver event. A twitterer made a tweet that was automatically retweeted when visiting twitter.com. Twitter took over TweetDeck in 2011.

Update, 18:43: According to researcher Jacobs, the bug has since been patched. Users will, however, have to log in and out again and clear the browser’s cache to prevent TweetDeck’s old, vulnerable javascript code from still being loaded.