Using Tweetdeck? Log out right now, or someone might take control of your computer

If you use Twitter dashboard client Tweetdeck, listen up – somebody, somewhere, has made a mistake, and you should log out right now until it’s fixed. You should also revoke the access Tweetdeck has been granted to your Twitter account, which can be done by going into settings, going to the apps section, and clicking “revoke access” next to Tweetdeck.

What’s happened here is that the thing that lets Tweetdeck know what’s what in a tweet has changed. Think of it this way: a website doesn’t look like a website to a web browser, but instead is rendered from lines of code. (Chrome and Forefox users can see the source code of any website by right-clicking and choosing “view source”.) What should happen with Tweetdeck is that it interprets each tweet as a block of plain text, which it then displays as a tweet in one of its columns. The problem is that, when a tweet contains code, it isn’t.

So, for example, this tweet…

Log out of https://t.co/SlWijVBqMi until this scripting security bug is fixed:

Subscribe to the New Statesman today and save 75%

Subscribe

— Chris Williams (@diodesign) June 11, 2014

…will cause Tweetdeck to display a pop-up alert box with the text “XSS in tweetdeck” in it. (That your web browser doesn’t do it is a sign that it’s not an idiot, like Tweetdeck.)

Subscribe to our newsletters View all newsletters

The best of the New Statesman’s politics and culture writing, in your inbox. Sign up here

Select and enter your email address

The Saturday Read

Your weekly guide to the best writing on ideas, politics, books and culture every Saturday. The best way to sign up for The Saturday Read is via saturdayread.substack.com

Morning Call

The New Statesman's quick and essential guide to the news and politics of the day. The best way to sign up for Morning Call is via morningcall.substack.com

Your email address

First Name

Last Name

Sign up

Visit our privacy Policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications.

THANK YOU

Close

In short, Tweetdeck is interpreting any code that anyone writes in a tweet as a valid Javascript command, and will run it. This means that someone could, in theory, make your web browser do something you wouldn’t expect it to simply by having Tweetdeck open. This is very bad. Similar bugs in Tweetdeck in 2010, 2011 and 2012 caused havoc, and in the most severe cases allowed people to apparently take control of other users’ accounts.

Until Twitter – which owns Tweetdeck – pushes out an update (and they’re usually pretty quick at these, but ohmygod how did a bug like this get pushed out?), there’s a great explanatory video from Tom Scott that goes into what’s known as cross site scripting, “the number one vulnerability on the web today”:

Content from our partners

The AI gap in government

Spotlight

Towards an industrial skills strategy

Charlie Jeffery and Nunzio Quacquarelli

Breakthrough science, unequal survival

Helen Rowntree

Related

The Weekend Interview

The Palestine hunger striker standing for election

Social Media

The dark heart of the kidfluencer industry

The Trump White House

How JD Vance lost the mandate of heaven