The vulnerability was noticed when the compromised accounts started RETWEETING a tweet with a “?” symbol that was followed by a string of code/Parameter.



TweetDeck is a popular social media dashboard application for management of Twitter accounts used by many user. and is owned by the NYSE listed Twitter Inc.



So how did it happen?

It all started with a vulnerability in the Google Chrome TweetDeck plugin, discovered by 19 year old Austrian programmer Florian AKA Firo.

I was tweeting about the HTML-heart-symbol (♥), because I didn’t knew, that this is possible. Florian said.

TweetDeck is not supposed to display this as an image. Because it’s simple Text, which should be escapted to “&hearts;”. But in my Tweet I used the Unicode-character of the heart as a reference for my followers.

this whole things looked like this:there were 2 hearts. One was black (at the position where the ♥ was supposed to be) and one was red (this one was the Unicode-char and got replaced by TweetDeck) Wer wusste, dass es das HTML Zeichen ♥ für ? gibt?

— Firo Xl (@firoxl) June 11, 2014

So, I started to played around, and discovered, that the Unicode-Heart (which gets replaced with an image by TweetDeck) somehow prevents the Tweet from being HTML-escaped. So I used a strong-HTML-tag to verify this (That’s that famous “I wounder if this works”-Tweet). It worked.

So I wrote a little Script which displays a Popup and then blocks it self. It worked. Ob das wohl funktioniert: <strong>Test</strong> ?

— Firo Xl (@firoxl) June 11, 2014

This is called XSS (Cross-Site-Scripting) and is very dangerous. No web developer should ever make this possible. TweetDeck did.

I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so. <script>if (!a) alert(“hihihi”);var a=true:</script> ?

— Firo Xl (@firoxl) June 11, 2014

And that was the point where I reported this to TweetDeck.

TweetDeck actually did not react in any way. Their next Tweet was saying that there is a security-issue and the users should log in again.

The vulnerability which now known to all via the news wires made it easier for other hackers who soon took advantage of it, including @derGeruhn who used the Vulnerability and tweeted a self Retweeting script which was Retweeted for more than 80K users.



