How to keep the XSS TweetDeck bug from posting on your behalf

The XSS Hole in TweetDeck is more than a nuisance. If you're a user of the popular Twitter client, here's how to protect yourself

Use the Windows Task manager to kill Tweet Deck without interacting with the client.

Use the Windows Task manager to kill Tweet Deck without interacting with the client.

Twitter went into crisis mode today to fix an XSS flaw in the popular TweetDeck client that has users retweeting the virus-like vulnerability against their will. Despite swift action, the exploit spread like wildfire, gaining tens of thousands of retweets in minutes, and the number is still growing.

The current fix in place requires user intervention to apply, with a logout required before the hole is closed. Moreover, some users were still reporting the problem post-logout.

Here's a quick step-by-step on how to back out of that annoying retweet cycle dialog box, deauthorize third-party applications from accessing your Twitter account and log out of TweetDeck.

If this exploit hits you, don't click on any dialog boxes TweetDeck brings up, even to close them. Instead start your task manager (Ctrl-Alt-Del) and kill them the old-fashioned way.

Next, go to your Twitter account settings page by clicking the gear icon in the top right corner.

Now, find and click on the Apps entry near the bottom of the menu to the left.

You'll get a list of the apps you've authorized Twitter to access. Find TweetDeck and click "Revoke access." This will keep TweetDeck from accessing your account. While you're here, take a moment to deauthorize the other apps you don't use anymore. There's likely to be quite a few.

Now it's time to log out of TweetDeck itself. Start up TweetDeck (Chrome's version is best) and ignore the prompt to reauthorize. Click on the gear in the lower left corner and you'll see a selection to sign out of TweetDeck. Sign out, and you'll get to the startup page. Once you're there, you're done.

Later, when you sign back in again, you'll be asked to reauthorize TweetDeck. Go ahead and reauthorize, as the patched code is now in place.

Twitter took down Tweetdeck for a short time this morning to evaluate fixes and restored services 90 minutes later.  Users should be good to go, although more paranoid tweeters might want to stick with the vanilla web client for a day or so to see how things pan out.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags internetFacebooktwittersocial networkingXSSTweetDeckInternet-based applications and services

More about TweetDeck

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jim Norris

Latest Videos

More videos

Blog Posts