TweetDeck, which was acquired by Twitter in 2011 for $40 million, is an App that lets you manage multiple Twitter accounts in one place. It shows tweets in real-time without you having to refresh your feed. It’s mostly used by social media marketers, journalists and other Twitter power users.
Users began experiencing strange pop-up messages when using the real-time Twitter tracking tool TweetDeck. Affected accounts also involuntarily re-tweeted a cross-site scripting (XSS) code sent out by the Twitter account @derGeruhn as a result of the vulnerability. That tweet has since been re-tweeted over 84,000 times.
Once the tweet appeared inside TweetDeck, the code could run actions and be re-tweeted to other accounts, further propagating the problem.”
Here are more images of what users saw from the TweetDeck bug.
“Hey, @TweetDeck you might figure out what @derGeruhn just did. Hack tweet automatically made me retweet it along with a lot of others.”
Could have acted maliciously and stole session cookies.
Payload<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>♥
The exact reason why the XSS Filter was broken has not been released yet but it seems it was a Unicode issue. When handling the ♥symbol.
The heart was mandatory for the injection to work, unexpected “<3” ♥attributed caused TweetDecks validation checks to break.
Seems that one possibility is that Tweetdeck was receiving the heart as “<3” and had to allow parsing the “<” to make the heart work, which also allowed the “<“s in the script.
♥ = ❤
“I was tweeting about the HTML-heart-symbol (♥), because I didn’t know that this is possible,” He told The Register in response to questions via email.
“TweetDeck is not supposed to display this as an image. Because it’s simple text, which should be escaped to ‘♥’. But in my tweet I used the Unicode-character of the heart as a reference for my followers.”
You can replace < and > easily with < and >. They are replacing the Unicode character with an image and are enabling HTML.
Affected accounts re-tweeted a cross-site scripting (XSS) code sent out by the Twitter account @derGeruhn as a result of the vulnerability.
Recently thought my Twitter account was hacked but in fact it was a stupid issue with me adding a Third Party Application to my account and not reading the requirements it wants for my account and authorizing it.
Before the Third Party Application is installed to your Twitter account it asks you for authorization that you are allowing this App access to you Twitter and also listing what the App requires.
This should be carefully reviewed prior to acceptance as some of the requirements may want access to you mail, either too read or write (Send mail & read mail) on your behalf.
Definition: A third-party application is a product developed apart from Twitter.com or Twitter’s official mobile apps, and that is used to access Tweets and other Twitter data. Seesmic, Hootsuite, and Twitter’s Facebook application are all third-party apps.
- When I seen some unusual tweets been posted to my account 1st thing I thought was that my account was compromised. In fact it was not hacked as there was no malicious activity carried out within my account.
- Also mails were sent to 3 of my followers advertising loosing body fat in 2 weeks.
- It seems the only damage carried out within this experience was it could possibly get me in trouble with some of my friends by saying they need these diet pills. 🙂 😛
Twiiter’s Quick Response
Twitter actually picked up on this very quickly and mailed me to perform a password reset thinking my account was compromised which is good. Not sure how but it must have noticed the malicious looking mails sent to my followers or the quick succession of random tweets posted from my account.
- Review the applications you’ve connected in the Apps tab of your account settings.
- Click the Revoke Access button next to the application.