
If you use Twitter dashboard client Tweetdeck, listen up – somebody, somewhere, has made a mistake, and you should log out right now until it’s fixed. You should also revoke the access Tweetdeck has been granted to your Twitter account, which can be done by going into settings, going to the apps section, and clicking “revoke access” next to Tweetdeck.
What’s happened here is that the thing that lets Tweetdeck know what’s what in a tweet has changed. Think of it this way: a website doesn’t look like a website to a web browser, but instead is rendered from lines of code. (Chrome and Forefox users can see the source code of any website by right-clicking and choosing “view source”.) What should happen with Tweetdeck is that it interprets each tweet as a block of plain text, which it then displays as a tweet in one of its columns. The problem is that, when a tweet contains code, it isn’t.
So, for example, this tweet…
Log out of https://t.co/SlWijVBqMi until this scripting security bug is fixed:
— Chris Williams (@diodesign) June 11, 2014
…will cause Tweetdeck to display a pop-up alert box with the text “XSS in tweetdeck” in it. (That your web browser doesn’t do it is a sign that it’s not an idiot, like Tweetdeck.)
In short, Tweetdeck is interpreting any code that anyone writes in a tweet as a valid Javascript command, and will run it. This means that someone could, in theory, make your web browser do something you wouldn’t expect it to simply by having Tweetdeck open. This is very bad. Similar bugs in Tweetdeck in 2010, 2011 and 2012 caused havoc, and in the most severe cases allowed people to apparently take control of other users’ accounts.
Until Twitter – which owns Tweetdeck – pushes out an update (and they’re usually pretty quick at these, but ohmygod how did a bug like this get pushed out?), there’s a great explanatory video from Tom Scott that goes into what’s known as cross site scripting, “the number one vulnerability on the web today”: