Twitter turns off Tweetdeck to 'assess' JavaScript security breach (update: it's back)
If you're a Tweetdeck user and can't login right now -- there's a reason. The service's webapp contained a vulnerability that let it run scripts embedded in tweets; just reading a tweet could cause a popup to appear on your screen, redirect you to another website, hijack your account or even cause you to retweet something without knowing. Since Tweetdeck is used by many of the social media managers for widely-followed accounts, a flaw that spreads itself could quickly replicate across the service.The official Tweetdeck account claimed the vulnerability was fixed earlier, but that doesn't appear to have worked, and as a result, Twitter has taken the service down "to assess today's earlier security issue." Even though you can't login right now, it would probably be a good idea to revoke the service's access to your account entirely until things are resolved.
Update: Tweetdeck says it's verified a security fix and turned the service back on -- who wants to be the first to confirm if it's actually safe?
[Image credit: Simon Dawson/Bloomberg via Getty Images]
We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
- TweetDeck (@TweetDeck) June 11, 2014
We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up.
- TweetDeck (@TweetDeck) June 11, 2014
Oh dear. That Tweetdeck XSS vulnerability is RT-ing stuff... its just hit @BBCBreaking! pic.twitter.com/8siffmsFxi
- Matt Navarra (@MattNavarraUK) June 11, 2014
@astroehlein tweetdeck is not stripping out dangerous scripting code from tweets. So you can run JavaScript in the context of another user
- Chris Williams (@diodesign) June 11, 2014