Revoke Tweet Deck access for TwitterJim Norris

How to keep the XSS TweetDeck bug from posting on your behalf

Twitter went into crisis mode today to fix an XSS flaw in the popular TweetDeck client that has users retweeting the virus-like vulnerability against their will. Despite swift action, the exploit spread like wildfire, gaining tens of thousands of retweets in minutes, and the number is still growing.

The current fix in place requires user intervention to apply, with a logout required before the hole is closed. Moreover, some users were still reporting the problem post-logout.

Here’s a quick step-by-step on how to back out of that annoying retweet cycle dialog box, deauthorize third-party applications from accessing your Twitter account and log out of TweetDeck.

If this exploit hits you, don’t click on any dialog boxes TweetDeck brings up, even to close them. Instead start your task manager (Ctrl-Alt-Del) and kill them the old-fashioned way.

Windows Task Manager Jim Norris

Use the Windows Task manager to kill Tweet Deck without interacting with the client.

Next, go to your Twitter account settings page by clicking the gear icon in the top right corner.

Twitter settings icon Jim Norris

Open up the Twitter settings inteface by clicking on the gear icon.

Now, find and click on the Apps entry near the bottom of the menu to the left.

Twitter settings page Jim Norris

Click on Apps in the menu to the left.

You’ll get a list of the apps you’ve authorized Twitter to access. Find TweetDeck and click “Revoke access.” This will keep TweetDeck from accessing your account. While you’re here, take a moment to deauthorize the other apps you don’t use anymore. There’s likely to be quite a few.

Revoke Tweet Deck access for Twitter Jim Norris

Revoke access for TweetDeck

Now it’s time to log out of TweetDeck itself. Start up TweetDeck (Chrome’s version is best) and ignore the prompt to reauthorize. Click on the gear in the lower left corner and you’ll see a selection to sign out of TweetDeck. Sign out, and you’ll get to the startup page. Once you’re there, you’re done.

Later, when you sign back in again, you’ll be asked to reauthorize TweetDeck. Go ahead and reauthorize, as the patched code is now in place.

TweetDeck logout Jim Norris

Log out of TweetDeck using cog icon at the lower left.

Twitter took down Tweetdeck for a short time this morning to evaluate fixes and restored services 90 minutes later.  Users should be good to go, although more paranoid tweeters might want to stick with the vanilla web client for a day or so to see how things pan out.

Subscribe to the Security Watch Newsletter

Comments