Twitters Tweetdeck client was shutdown for a period after a “cross-site scripting” (XSS) vulnerability was discovered that left millions of users open to their accounts being hijacked. While Twitter initially announced that the flaw had been fixed, it later took down the service for around an hour.

Tweetdeck provides users with a web or app based interface enabling them to monitor multiple searches and manage more than one account. Among users affected by the security flaw were the BBC Breaking News account and MP Ed Miliband.

The flaw leads to vulnerable versions of Tweetdeck (specifically version 3.7.1-19002e5) running javascript code contained in tweets from other sites. Most of the attacks that exploited the vulnerability resulted in nothing more than irritating warning dialogues on users computers, but one created retweets of itself, spreading 38,000 times within two minutes, while another changed the font of Tweetdeck to Comic Sans.

In theory, such a flaw could have left accounts vulnerable to being taken over, allowing hackers to post tweets, unfollow and follow people and more. Twitters normal web interface and other apps which use Twitters API do not seem to have been affected, and no security warnings were issued for these services. Twitter suffered a similar vulnerability in September 2010 that was discovered by an Australian teenager.