TweetDeck XSS worm goes viral

A cross-site scripting bug in the popular TweetDeck client program from Twitter caused annoying popups for large numbers of users, including me. Goodbye TweetDeck.

If you use the TweetDeck client for Twitter, you probably received a rude and confusing set of tweets today around 11:45 eastern. It resulted in a popup message similar to the one nearby.


"XSS" stands for cross-site scripting. Someone figured out how to write a tweet which, when read in the TweetDeck client, retweeted itself as code. The result is a worm, the likes of which have become relatively scarce in recent years.

I appear to have gotten it from some German guy I don't even follow, so I'm not sure how that happened, unless he started it all.

In fairness to Twitter, they fixed the bug fairly quickly, although users had to log out and log back in to make the fix effectual. The code for the attack is below:


I take two lessons from this: As I mentioned in my recent  10 online attacks we could have easily prevented , XSS is sometimes pooh-poohed as a minor problem with no significant consequences, but I'm sure the TweetDeck people think this was significant. It wasted a bit of my time and caused me the embarrassment of passing it on to others.

Trey Ford, Global Security Strategist at Rapid7 reminded me that there's historical precedent for this: "This worm hearkens back to the MySpace 'Samy Worm' in 2006, except for one key step - this worm does not appear to have the ability to force your account to follow the attacker."

I had been using TweetDeck for many years, since well before Twitter acquired it and stopped doing any real development on it. That wasn't enough for Twitter though. They had to make everyone else stop development too, so almost two years ago  they tightened up the rules for using their API , rate-limiting the use of the API from specific clients. Many of the better Twitter client developers have thrown in the towel and stopped working on their software.

As it happens, I had, just a few days ago, decided that I had enough of what I see as weird scrolling behavior in TweetDeck and solicited suggestions for a new client program. I still haven't found one that works for me because there aren't that many that still let new users register. Thanks Twitter.

If you have any suggestions for me, I need Windows 7 and Windows 8, so Ed Bott's and James Kendricks's favorite  Tweetium for Windows 8.1  isn't an option. Help! I'm already falling far behind.