TweetDeck, Twitter’s tool for managing the influx and sending of 140-character messages, has been hit by an XSS (cross-site scripting) attack that caused warning dialogs to pop up and prevented the usage of the client.

Cross-site scripting is a type of injection with malicious content that can be carried out on a web application that uses input from an attacker without validating the code.

But in some cases, the problem was more serious than this, as messages (some of them obscene) from unknown handles were retweeted over and over again. One message, originating from the handle ‏”@derGeruhn” was re-tweeted automatically more than 35,000 times.

Even if the message contained only a piece of code, spreading it this much in such a short period of time was still pretty annoying:

<script class="xss">$('.xss').parents().eq(1).find('a').eq (1).click();$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥
— *andy (@derGeruhn) June 11, 2014


The issue seems to have affected TweetDeck alone, as the web interface for the service and other apps using Twitter’s API did not behave abnormally.

Initially, TweetDeck’s channel announced a fix that consisted in simply logging out of the app and then logging back in.

A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014


However, many users reported that the issue persisted, and 28 minutes later, a second message was posted on TweetDeck’s channel. This one informed that TweetDeck was taken down for a temporary period of time so that the security issue would be investigated.

We've temporarily taken TweetDeck services down to assess today's earlier security issue. We'll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014


A short while ago, TweetDeck services have been restored and everything should be working fine.

We've verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014

Feedly and Evernote services have also been taken offline today because of distributed denial-of service (DDoS) attacks. In the case of the latter, everything is up and running, but at the time of writing, Feedly continues to be inoperable.
Kepler Reviewed by Kepler on . TweetDeck Shut Down Due to XSS Vulnerability http://i.imgur.com/DJK2X0Q.png TweetDeck, Twitter’s tool for managing the influx and sending of 140-character messages, has been hit by an XSS (cross-site scripting) attack that caused warning dialogs to pop up and prevented the usage of the client. Cross-site scripting is a type of injection with malicious content that can be carried out on a web application that uses input from an attacker without validating the code. But in some cases, the problem was more serious than this, as Rating: 5