If you use TweetDeck for Chrome, you should log out now. Turns out it has an XSS vulnerability that allows attackers to execute code remotely on your computer just by tweeting it out.
We’re getting reports of issues in the Chrome app, in the web app on Firefox and the Windows desktop client. For now, it’s mostly just being used to (annoyingly) spam popup windows, but there’s potential to do some damage with this power, so you should close up shop until the problem’s fixed.
We’ve reached out to Twitter for comment, and we’ll update when the coast is clear.
Update: TweetDeck has given the all-clear, although you’ll need to log out and then log back in to make sure everything’s OK.
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014
Update 2: We’re having mixed results with the “log out and then log back in” fix, and still seeing a few pop-ups here and there on different machines. If you want to be safe, it’s probably best to stay logged out for a big longer, especially if you run across any pop ups.
Update 3: Twitter is now apparently taking TweetDeck services all the way down to fix the issue.
We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014
Update 4: TweetDeck is back up and saying all is well (again). But again, we’ve still got some people here at the office having problems. It might pay to stay off for just a little while longer.
We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014