Tweetdeck 'hack': rudimentary, but still widely shared

XSS weakness led to thousands of auto-retweets

The XSS vulnerability in Tweetdeck showed just how easily scripts can be run on user devices from a simple security flaw.

The cross-site scripting (XSS) vulnerability in Twitter's Tweetdeck plugin may have been rudimentary, but it still led to posts being auto-retweeted by tens of thousands of Twitter users yesterday.

These included accounts used by the BBC, Labour leader Ed Miliband, and a senior White House official, according to several reports.

Twitter was forced to suspend Tweetdeck, the browser plugin which collates feeds from multiple sources, while it tried to patch the problem.

XSS vulnerabilities are dangerous because they are easily shared and can run scripts on users' devices. These may send data to a hacker from a remote browser, for example.

The weakness was reported yesterday by teenaged Austrian programmer 'Florian', who discovered that the plugin executed a snippet of HTML as code instead of displaying it as plain text.

He told The Telegraph: "I was shocked when I saw the script got executed. This is a mistake no web developer should make."