Here’s how that major Tweetdeck vulnerability works

The popular Twitter app Tweetdeck is shutting down after the discovery of a serious security vulnerability in the software:

Tweetdeck is vulnerable to what is known as a cross-site scripting attack that allows hackers to execute code on the victim’s computer. The attack makes use of the JavaScript programming language, which powers most of the web’s interactive content. If someone puts JavaScript code into a tweet, your Twitter client is supposed to convert that into harmless plain text. But the Tweetdeck forgot to do that, causing the user’s computer to execute it instead.

The result: if you were running Tweetdeck, anyone in your Twitter timeline could force your computer to execute JavaScript code. For example, it could cause annoying popup messages to display on a user’s screen. Or create viral tweets that spread by causing users to automatically retweet them.

Fortunately, JavaScript programs are executed within a “sandbox” that sharply limits what they can do. In this case, malicious code can only do things that the Twitter app itself is allowed to do, like tweet, follower users, or retweet others’ messages. But it likely can’t access private files on a user’s hard drive, read a user’s email, or install long-lived spyware on the computer.

This is an important virtue of the web compared with conventional desktop software. If a bug is discovered in a traditional Mac or Windows application, the attacker will often gain total control over a user’s computer. In contrast, web browsers (and apps like Tweetdeck built on web-based technologies) are carefully designed to limit the damage that malicious JavaScript can do.

A security problem in Twitter, Facebook, or Gmail can still cause a lot of headaches for users. It could allow hackers to access private emails or spam victims’ friends. But in most cases, it won’t give the attacker total control over your computer or even other websites.