Tweetdeck has an XSS flaw. Here’s what you should do right now

TweetdeckA potentially serious security flaw has been found in Tweetdeck, a popular Twitter client.

At the time of writing the cross-site scripting (XSS) flaw doesn’t appear to have been exploited maliciously.

But that doesn’t mean you should rest on your laurels – after all, information about how to exploit the flaw is out there, and it is easy to imagine how someone could take advantage of it with malicious purposes.

XSS in Tweetdeck

Sign up to our free newsletter.
Security news, advice, and tips.

XSS in Tweetdeck

In my opinion, Tweetdeck isn’t safe to use until the flaw has been fixed.

So you need to quit Tweetdeck right now, and revoke its access to your Twitter account.

Here’s how you do it:

1. Go to the Apps section of your Accounts settings on the Twitter website: https://twitter.com/settings/applications (If you are not already logged into Twitter, it will ask you to enter your password and two-factor authentication, if enabled).

You should see a screen like this, with your account and the various apps that you have granted access to your Twitter account.

Twitter apps

2. Find Tweetdeck in the list and revoke its access by pressing the button entitled (imaginatively) “Revoke access”:

Revoke Tweetdeck's access to your account

You’re all done.

By the way, there’s no harm in seeing what other applications you have granted access to your Twitter account – and remove any which you don’t recognise or don’t use any more.

Of course, now you don’t have a Twitter client. For the time being you might want to try using the Twitter website itself. Hopefully a fix will be announced for Tweetdeck shortly.

Oh, and feel free to follow me for the latest security news and updates. I’m @gcluley on Twitter.

Update: Tweetdeck says it has fixed the issue.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky and Mastodon, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.