Update 2 PM EST:
@tweetdeck says: “We’ve verified our security fix and have turned TweetDeck services back on for all users.”
Although Twitter Inc (NYSE:TWTR) said it fixed the XSS vulnerability in TweetDeck, we’re starting to hear reports that it hasn’t been fixed after all. The Guardian reports that some users continue to have problems in spite of the fact that they logged out of TweetDeck and then back into it. Journalist Matt Rosoff tweeted that he was still having problems.
It is recommended that users of TweetDeck should not only log out of the app but also revoke its access to Twitter immediately. If they don’t, they could be subject not only to troublesome popups and possible more nefarious hacks, but also possibly having their Twitter accounts taken over by the hackers.
Twitter Inc (NYSE:TWTR) has taken down all TweetDeck services, so if you can’t get into your account to revoke access right now, it’s because Twitter has completely taken it down.
Twitter Inc (NYSE:TWTR) is advising users to log out of TweetDeck and then back in to get the patch for a major vulnerability. Here is the updated tweet from TweetDeck advising users to apply the fix by logging out and then back in:
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014
TweetDeck gets hacked
Numerous tech sites began noticing a bunch of tweets regarding an XSS vulnerability. Basically that meant Twitter wasn’t removing dangerous codes from scripts. XSS is short for cross-site scripting, and when there’s a vulnerability in it, it means hackers are able to put troubling scripts into web pages. That script could then allow them to access user accounts and sensitive security information, according to Business Insider.
What happens to users who don’t fix the TweetDeck hole?
According to The Verge, so far hackers have only done rather harmless things like send popup messages through the hole. However, the type of vulnerability it is allows them to do much more dangerous things. At least one of the exploits of that vulnerability spammed the Retweet command in TweetDeck. That meant any user who was vulnerable to the bug automatically retweeted a string to all of its followers.
Currently it’s believed that the vulnerability is only to the web-based version of TweetDeck, although apparently users of the Windows version of that app have also reported similar attacks. This isn’t the first time someone has discovered an XSS vulnerability in TweetDeck. At this point we still don’t know how this hole opened up again.
The only good news about this hole is that experts don’t believe the hackers were able to access private chat sessions, webmail or banking information because Twitter Inc (NYSE:TWTR) has coded the app as HTTP only.