TweetDeck bug reminiscent of 2006 Myspace attack

Though being bombarded with vulgar alerts may have been a novel experience for many of TweetDeck’s users, the bug that caused the problems is nothing new.

It’s called a “cross-site scripting” vulnerability, a bug that basically causes data that’s supposed to be read as text to instead be treated as actionable code. In this case, tweets that were supposed to be run-of-the-mill readable posts were instead being handled by the browser as code, prompting automatic retweets of the problem message. (Users also saw a number of pop-up messages including one referring to a male anatomical part.)

This type of bug has been around for years – long before Twitter became popular.

In 2006, a similar vulnerability on Myspace forced thousands of users to friend a particular user, and announce to their other friends that the hacker, “Samy,” was their “hero.”

Trey Ford, a security strategist at Rapid7, said that protecting against these hacks rests solely on websites and the companies behind them. He said there is nothing users can do to avoid falling prey.


“When you go to Facebook or you go to Twitter, you’re depending on their application to run as intended,” he said.

Luckily, Ford said, the harm caused by the bug was minimal.

TweetDeck, a social media dashboard tool used to manage and post to Twitter accounts, was temporarily taken offline earlier in the day but was back up by midday.

“This kind of attack doesn’t strike me as terribly malicious,” Ford said. “The level of malice on this is zero. I found this charming and amusing.”

Follow me @RobertFaturechi