A newly discovered vulnerability in TweetDeck for Chrome is allowing attackers to remotely execute javascript code through an unpatched vulnerability. Users have reported seeing random pop-up windows reading "Yo!" or "Please close now TweetDeck [sic], it is not safe." The vulnerability is believed to be confined to web version of TweetDeck, but other users have reported similar attacks in TweetDeck's Windows app.

Twitter says that they have fixed the vulnerability, and users can apply the fix by logging out of TweetDeck and logging back in. We are still in the process of confirming the fix, and will update with any results.

Researchers have reported XSS problems from TweetDeck in the past, most notably from Mikko Hypponen in 2011, but developers reported the vulnerability as fixed the following day, and most believed it to be a closed issue. It's still unclear how the vulnerability resurfaced. Twitter did not immediately respond to requests for comment.

XSS, short for "cross-site scripting," is widely used and one of the most prolific sources of security flaws in web applications. When left unprotected, the attacks let users execute their own javascript code elsewhere in the browser. So far, most of the reported exploits have been simple pop-up messages, but the potential does exist for more sinister attacks. At least one attack used the vulnerability to trigger TweetDeck's Retweet command, causing any vulnerable client to automatically retweet the string to all its followers.

One limiting factor, discovered by Whisper Systems' Frederic Jacobs, is that Twitter has coded its app to be HTTP-only, which means the vulnerability probably cannot be used to hijack private sessions like webmail or banking.