Tweetdeck XSS flaw: revoke access now
Cross-site scripting hack in Twitter has users racing to revoke access to the app
A flaw in Tweetdeck that automatically runs code from Tweets is leaving users open to attack, reports suggest - and it's not for the first time.
The cross-site scripting (XSS) flaw hadn't been confirmed at the time of writing by Twitter, which owns the app, but reports from a wide range of users suggest Tweetdeck automatically runs any code in a message.
Security analyst Graham Cluley said on Twitter - hopefully not via the afflicted app - that it "seems to be a XSS security hole in Tweetdeck."
WHATTT !! Persistent XSS (Cross-Site Scripting) Attack on Tweetdeck
— The Hacker News (@TheHackersNews) June 11, 2014
It's wise to avoid Tweetdeck until the flaw is patched, experts said. "Best advice is to shut it down, and revoke its access to your account via Twitter website," Cluley added.
To do that, go to Twitter.com, click into Settings, and then click Apps on the left hand side. From there, click Revoke Access for Tweetdeck.
Intriguingly, the flaw isn't entirely new: F-Secure's Mikko Hypponen reported the same issue to Tweetdeck in 2011, when it was apparently fixed. It's unclear how the same problem could be allowed to happen again.