

XSS in Tweetdeck (don't view in Tweetdeck...) - maaarghk
https://twitter.com/derGeruhn/status/476764918763749376

======
adambard
So apparently this was retweeted by @5SOS, a teen pop band with some 3 million
followers, which is why most of the responses are confused teenagers.

For some reason this is hilarious to me. Not the pinnacle of responsible
disclosure, but no real harm done.

~~~
yror10
Obviously their social media agent uses tweetdeck...

------
mrspeaker
The replies to that tweet are beautiful. Sometimes you forget that not
everyone in the world can recognize a cross-site scripting vulnerability when
they see one!

------
theboss
What's sad is that not even wrong security was in place here. They didn't even
try. There was NO XSS prevention.

<script>javascript</script> is the first payload you try when looking for the
stupidest XSS you can find....

~~~
adambard
Apparently it was only activated if you included an emoticon (<3) in your
tweet, possibly following the closing script tag.

~~~
ozh
Any UTF8 char actually 💩

------
k-mcgrady
I guess the New York Times uses Tweetdeck[1]. I saw this because several
people I follow had retweeted it and the Twitter app notifies you if several
of your followers do the same thing. It's a useful feature. If Tweetdeck does
the same thing it could make this spread really fast.

[1]
[https://twitter.com/derGeruhn/status/476764918763749376](https://twitter.com/derGeruhn/status/476764918763749376)

------
DouweM
I wonder if the poster of this "twitter worm" could get in legal trouble for
this; it's quite similar to the Samy MySpace worm[1] of a decade ago, where
the creator was charged with a felony (they plea bargained out).

[1]
[https://en.wikipedia.org/wiki/Samy_(computer_worm)](https://en.wikipedia.org/wiki/Samy_\(computer_worm\))

~~~
nknighthb
Fortunately, the author appears to be German.

------
blackRust
Looks like it might even be starting to loop around? The Guardian have already
scurried an article about it [1].

[1] [http://www.theguardian.com/technology/2014/jun/11/twitter-
tw...](http://www.theguardian.com/technology/2014/jun/11/twitter-tweetdeck-
xss-flaw-users-vulnerable)

------
6thSigma
A lot of people I follow must use Tweetdeck. This has been retweeted on my
feed several times in the last few minutes.

~~~
maaarghk
Somebody in my office got hit with it, that's how I found out.

------
maaarghk
Wonder if it's because of the emoji at the end? It's HEAVY BLACK HEART,
U+2764, e29da4 in hex.

------
zatkin
"The _most powerful_ Twitter tool for real-time tracking, organizing and
engagement."

~~~
michielvoo
So powerful, it even supports scripted tweets

------
basicallydan
39,000 retweets and counting.

------
rrss1122
Someone's gonna get in trouble for using an eval in tweetdeck...

------
sp332
Tweetdeck seems to be down now.

~~~
ozh
It is:
[https://twitter.com/TweetDeck/statuses/476770732987252736](https://twitter.com/TweetDeck/statuses/476770732987252736)
== "We've temporarily taken TweetDeck services down to assess today's earlier
security issue. We'll update when services are back up."

------
tarekmoz
Security 101 ?

------
hybridknight
so fast

~~~
maaarghk
Apparently it's fixed already

[http://thenextweb.com/twitter/2014/06/11/tweetdeck-users-
xss...](http://thenextweb.com/twitter/2014/06/11/tweetdeck-users-xss-
vulnerability-means-revoke-access-now/)

~~~
ojii
Definitely not fixed here. Chrome on Linux, logged out and back in, closed and
re-opened tab. Not fixed.

