Tweetdeck has an XSS flaw. Here’s what you should do right now

Graham Cluley

TweetdeckA potentially serious security flaw has been found in Tweetdeck, a popular Twitter client.

At the time of writing the cross-site scripting (XSS) flaw doesn’t appear to have been exploited maliciously.

But that doesn’t mean you should rest on your laurels – after all, information about how to exploit the flaw is out there, and it is easy to imagine how someone could take advantage of it with malicious purposes.

XSS in Tweetdeck

XSS in Tweetdeck

In my opinion, Tweetdeck isn’t safe to use until the flaw has been fixed.

So you need to quit Tweetdeck right now, and revoke its access to your Twitter account.

Here’s how you do it:

1. Go to the Apps section of your Accounts settings on the Twitter website: https://twitter.com/settings/applications (If you are not already logged into Twitter, it will ask you to enter your password and two-factor authentication, if enabled).

You should see a screen like this, with your account and the various apps that you have granted access to your Twitter account.

Twitter apps

2. Find Tweetdeck in the list and revoke its access by pressing the button entitled (imaginatively) “Revoke access”:

Revoke Tweetdeck's access to your account

You’re all done.

By the way, there’s no harm in seeing what other applications you have granted access to your Twitter account – and remove any which you don’t recognise or don’t use any more.

Of course, now you don’t have a Twitter client. For the time being you might want to try using the Twitter website itself. Hopefully a fix will be announced for Tweetdeck shortly.

Oh, and feel free to follow me for the latest security news and updates. I’m @gcluley on Twitter.

Update: Tweetdeck says it has fixed the issue.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.