TweetDeck, which was acquired by Twitter in 2011 for $40 million, is an App that lets you manage multiple Twitter accounts in one place. It shows tweets in real-time without you having to refresh your feed. It’s mostly used by social media marketers, journalists and other Twitter power users.
Users began experiencing strange pop-up messages when using the real-time Twitter tracking tool TweetDeck. Affected accounts also involuntarily re-tweeted a cross-site scripting (XSS) code sent out by the Twitter account @derGeruhn as a result of the vulnerability. That tweet has since been re-tweeted over 84,000 times.
Once the tweet appeared inside TweetDeck, the code could run actions and be re-tweeted to other accounts, further propagating the problem.”
Here are more images of what users saw from the TweetDeck bug.
“Hey, @TweetDeck you might figure out what @derGeruhn just did. Hack tweet automatically made me retweet it along with a lot of others.”
Could have acted maliciously and stole session cookies.
Payload<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>♥
The exact reason why the XSS Filter was broken has not been released yet but it seems it was a Unicode issue. When handling the ♥symbol.
The heart was mandatory for the injection to work, unexpected “<3” ♥attributed caused TweetDecks validation checks to break.
Seems that one possibility is that Tweetdeck was receiving the heart as “<3” and had to allow parsing the “<” to make the heart work, which also allowed the “<“s in the script.
♥ = ❤
“I was tweeting about the HTML-heart-symbol (♥), because I didn’t know that this is possible,” He told The Register in response to questions via email.
“TweetDeck is not supposed to display this as an image. Because it’s simple text, which should be escaped to ‘♥’. But in my tweet I used the Unicode-character of the heart as a reference for my followers.”
You can replace < and > easily with < and >. They are replacing the Unicode character with an image and are enabling HTML.
Affected accounts re-tweeted a cross-site scripting (XSS) code sent out by the Twitter account @derGeruhn as a result of the vulnerability.