Twitter jumps to block XSS worm in Tweetdeck

TweetDeckLogo-170The Twitters were a twitting this morning over a newly discovered cross-site scripting (XSS) flaw in the popular Tweetdeck software owned by Twitter itself.

What is cross-site scripting? Often abbreviated XSS it is a flaw in a web site that allows for the injection of client-side script code by unauthorized users.

In this example it meant that Twitter users could inject script code into a tweet that would take advantage of the Tweetdeck bug and execute code inside the browser of Tweetdeck users.

After the discovery of this bug, most tweets were harmlessly popping up alert messages in Tweetdeck users’ browsers as our former colleague Graham Cluley showed in his blog this morning.

Taking a quick look at Twitter shows lots of attempts to exploit this flaw still flying around, although Twitter has now patched the flaw.


People have suggested this was not malicious, but I disagree. Creating a network worm even if only being used to spread a warning message is still malicious activity no matter how you cut it.

In fact most antivirus companies use definitions similar to the much derided Computer Fraud and Abuse Act (CFAA) in the United States.

The CFAA states that it is a crime to acquire unauthorized access or to exceed authorized access to a network or computer.

An extremely open definition, but one that should be easy enough for people to understand. No permission, don’t access it.

Antivirus firms largely consider something malicious if it uses resources on a computer without the owners permission or for purposes other than which the user agreed to allow it access.

It has been awhile since we have seen a Twitter related worm and hopefully it will be a long while until we do again.


Twitter says they have put this bug to bed. It is now safe to tweet about the cabin.