How to keep the XSS TweetDeck bug from posting on your behalf
Twitter went into crisis mode today to fix an XSS flaw in the popular TweetDeck client that has users retweeting the virus-like vulnerability against their will. Despite swift action, the exploit spread like wildfire, gaining tens of thousands of retweets in minutes, and the number is still growing.
The current fix in place requires user intervention to apply, with a logout required before the hole is closed. Moreover, some users were still reporting the problem post-logout.
Welp. Logged out of Tweetdeck, logged back in, and got this: So clearly Twitter’s “fix” does not work! pic.twitter.com/Sv7bpvaqfQ— Matt Rosoff (@MattRosoff) June 11, 2014
Here’s a quick step-by-step on how to back out of that annoying retweet cycle dialog box, deauthorize third-party applications from accessing your Twitter account and log out of TweetDeck.
If this exploit hits you, don’t click on any dialog boxes TweetDeck brings up, even to close them. Instead start your task manager (Ctrl-Alt-Del) and kill them the old-fashioned way.
Next, go to your Twitter account settings page by clicking the gear icon in the top right corner.
Now, find and click on the Apps entry near the bottom of the menu to the left.
You’ll get a list of the apps you’ve authorized Twitter to access. Find TweetDeck and click “Revoke access.” This will keep TweetDeck from accessing your account. While you’re here, take a moment to deauthorize the other apps you don’t use anymore. There’s likely to be quite a few.
Now it’s time to log out of TweetDeck itself. Start up TweetDeck (Chrome’s version is best) and ignore the prompt to reauthorize. Click on the gear in the lower left corner and you’ll see a selection to sign out of TweetDeck. Sign out, and you’ll get to the startup page. Once you’re there, you’re done.
Later, when you sign back in again, you’ll be asked to reauthorize TweetDeck. Go ahead and reauthorize, as the patched code is now in place.
Twitter took down Tweetdeck for a short time this morning to evaluate fixes and restored services 90 minutes later. Users should be good to go, although more paranoid tweeters might want to stick with the vanilla web client for a day or so to see how things pan out.