A "cross-site scripting" (XSS) vulnerability has been discovered on Twitter's Tweetdeck client, leaving millions of users open to account hijacking and more.

Twitter has shut down Tweetdeck while it fixes the problem, despite earlier promising that it had been fixed.

The normal Twitter web interface, and other apps such as Echofon which use Twitter's API, do not seem to be affected. Tweetdeck is aimed at professionals and provides a web- or app-based interface to Twitter with the ability to show multiple views of different searches and users.

We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up. — TweetDeck (@TweetDeck) June 11, 2014

The flaw leads to vulnerable versions of Tweetdeck (3.7.1-19002e5) running javascript code contained in tweets from other sites. Most attacks using the vulnerability are no more than irritations, opening warning dialogues on users' computers - though one version created a retweet of itself, and spread 38,000 times in two minutes, and another changed the font on Tweetdeck itself to Comic Sans.

The original advice offered by the official Tweetdeck account claimed that the flaw had been fixed, and that users should log out and back in to their accounts to get the update.

A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix. — TweetDeck (@TweetDeck) June 11, 2014

But others found that the flaw persisted, despite following the official advice.

Welp. Logged out of Tweetdeck, logged back in, and got this: So clearly Twitter's "fix" does not work! pic.twitter.com/Sv7bpvaqfQ — Matt Rosoff (@MattRosoff) June 11, 2014

"Logged out of Tweetdeck, logged back in, and got this," tweeted journalist Matt Rosoff, posting a picture of a harmless XSS exploit. "So clearly Twitter's 'fix' does not work!"

Tweetdeck then acknowledged that the fault had not been fixed:

We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up. — TweetDeck (@TweetDeck) June 11, 2014

"We've temporarily taken TweetDeck services down to assess today's earlier security issue," it tweeted. "We'll update when services are back up."

Theoretically, such flaws can be used to take over accounts, post tweets, unfollow and follow people, and more.



Twitter itself suffered a similar vulnerability in September 2010 that proved embarrassing after it was discovered by an Australian teenager.

Tweetdeck was originally a British company, and was acquired by Twitter for about £25m ($40m) in May 2011.



Twitter had not responded to a request for comment by the time of publication.