Tweetdeck Security Flaw Exposed by ‘f gwenifill’ Trend

social-inside-twitter-iconDoes your agency use Tweetdeck? Do one or more employees access/manage multiple client feeds through Tweetdeck? If so, then you should pay attention to this story.

Things got weird on Twitter yesterday as an astonishing number of media feeds tweeted the same thing: “f gwenifill”. None of the feed managers had sent this tweet, so there was a lot of confusion before things became a little clearer.

Turns out Kate Gardiner, a writer and media strategist who you should follow, once managed the feeds of several different news organizations under the Newsweek banner. While attempting to delete her previous accounts, she posted a test tweet that should have instructed her account to follow Gwen Ifill of PBS—but every account for which she once had the keys or APIs posted the message as a standard tweet instead.

As we understand it, this is the kind of user error that will probably never happen again in precisely the same way, but it illustrates a flaw in Tweetdeck: the app stores previous managers’ keys even after the passwords have been changed.

Stick with us for one more minute…

The point, made here by the always-excellent On the Media, is that former employees could theoretically create trouble for your agency via Tweetdeck even if you’ve already changed the passwords. Gardiner explained how to avoid that problem:

So take note, use HootSuite, and make sure that any soon-to-be-former social media managers with access to clients’ feeds through Tweetdeck delete their accounts entirely before leaving your agency.