A potentially serious security flaw has been found in Tweetdeck, a popular Twitter client.
At the time of writing the cross-site scripting (XSS) flaw doesn’t appear to have been exploited maliciously.
But that doesn’t mean you should rest on your laurels - after all, information about how to exploit the flaw is out there, and it is easy to imagine how someone could take advantage of it with malicious purposes.
XSS in Tweetdeck
In my opinion, Tweetdeck isn’t safe to use until the flaw has been fixed.
So you need to quit Tweetdeck right now, and revoke its access to your Twitter account.
Here’s how you do it:
1. Go to the Apps section of your Accounts settings on the Twitter website: https://twitter.com/settings/applications (If you are not already logged into Twitter, it will ask you to enter your password and two-factor authentication, if enabled).
You should see a screen like this, with your account and the various apps that you have granted access to your Twitter account.
2. Find Tweetdeck in the list and revoke its access by pressing the button entitled (imaginatively) “Revoke access”:
You’re all done.
By the way, there’s no harm in seeing what other applications you have granted access to your Twitter account - and remove any which you don’t recognise or don’t use any more.
Of course, now you don’t have a Twitter client. For the time being you might want to try using the Twitter website itself. Hopefully a fix will be announced for Tweetdeck shortly.
Oh, and feel free to follow me for the latest security news and updates. I’m @gcluley on Twitter.
Update: Tweetdeck says it has fixed the issue.
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014