0 SHARES Facebook Twitter

This morning as I was logging into various social networks I was presented with a popup from an XSS on Tweet Deck. This obviously set every hair on my neck on fire because it’s obviously not the normal welcome screen.

After some investigation, I found a tweet from one account that I follow which had the following JavaScript code as an example – it should be all good, but TweetDeck wasn’t sanitizing the input which caused the code to execute in the browser.

This is why, someone injected this into their tweet. When you logged into TweetDeck it triggered the vulnerability:

As you can see, the XSS attack was set to automatically retweet via this: data-action:retweet causing a chain event for anyone that logs into TweetDeck.

This is a very serious security flaw. TweetDeck says they have already addressed the issue:

To be safe though, we recommend logging out of Tweetdeck, revoking access in your Twitter profile and resetting all connections if you want to continue to use the application.

What is very annoying about this is that you can’t undo the automatic retweet, making it very difficult to remove from people’s timeliness. Thankfully, the attack is mostly benign and appears to be intended to making a statement than causing harm, but it’s clear example of how the largest of applications can be exploited.