Tweetdeck XSS flaw: revoke access now

Cross-site scripting hack in Twitter has users racing to revoke access to the app

11 Jun 2014

A flaw in Tweetdeck that automatically runs code from Tweets is leaving users open to attack, reports suggest - and it's not for the first time.

The cross-site scripting (XSS) flaw hadn't been confirmed at the time of writing by Twitter, which owns the app, but reports from a wide range of users suggest Tweetdeck automatically runs any code in a message.

Security analyst Graham Cluley said on Twitter - hopefully not via the afflicted app - that it "seems to be a XSS security hole in Tweetdeck."

For example, a Tweet containing Javascript code would automatically pop up a message in the app. While that's not malicious - unless you're popping up a rude message, which many people are - it shows code can be executed on someone's machine without them knowing or interacting with it.

The feed for The Hacker News posted the following image, apparently achieved with a short line of Javascript in a Tweet:

It's wise to avoid Tweetdeck until the flaw is patched, experts said. "Best advice is to shut it down, and revoke its access to your account via Twitter website," Cluley added.

To do that, go to, click into Settings, and then click Apps on the left hand side. From there, click Revoke Access for Tweetdeck.

Intriguingly, the flaw isn't entirely new: F-Secure's Mikko Hypponen reported the same issue to Tweetdeck in 2011, when it was apparently fixed. It's unclear how the same problem could be allowed to happen again.

Read more about: