TweetDeck, an extremely popular application for using Twitter, is sending people messages that read "yo," "penis," and other silly phrases due to a security vulnerability in the app. It also caused other users to automatically retweet messages that they didn't manually retweet.

The reason for these and other bizarre messages is what’s called a cross-site scripting, or XSS, vulnerability with TweetDeck’s Web app and its extension in the Google Chrome browser. Before reading any further, if you use TweetDeck through either of these apps, you should go log out and revoke its access from your Twitter settings, which you can do here.

Internet and social media expert Tom Scott, whose tweet is above, went on to describe the scripting issue “an absolutely staggering security hole” in a blog post. He explained that the vulnerability could allow hacker to take actions ranging from making weird messages appear (as seen above) to potentially gaining complete control of someone’s account.

One user figured out how to send a tweet that would automatically be retweeted by all followers using vulnerable TweetDeck apps. The tweet sparked an automated chain reaction that caused it to accumulate more than 40,000 retweets in about 20 minutes. The number of retweets has been slowly declining as more inadvertent retweeters undo the action.

Tweetdeck Twitter XSS


Twitter, which purchased TweetDeck in 2011 for about $40 million, initially said that it had patched the vulnerability.

“We're aware of the issue, and it is now fixed,” Twitter spokeswoman Rachel Millner told the Daily Dot in an email. “Users should log out of TweetDeck and log back in to make sure the fix is fully applied.”

Soon after, however, Millner followed up by sending a link to this tweet as an update:

It seems we’re not out of the woods quite yet. This is a developing story. We will continue to provide updates as we learn more.

Update: The TweetDeck team says that it has patched the XSS vulnerability and restored functionality to all affected apps.

Update 2: Turns out, the whole TweetDeck "hack" was an accident committed by at 19-year-old Austrian kid named Florian. He just wanted to add heart shapes to his tweets in a new way. (Really.)

Photo by Uncalno Tekno/Flickr (CC BY 2.0)