The vulnerability was noticed when the compromised accounts started RETWEETING a tweet with a “?” symbol that was followed by a string of code/Parameter.
TweetDeck is a popular social media dashboard application for management of Twitter accounts used by many user. and is owned by the NYSE listed Twitter Inc.
So how did it happen?
It all started with a vulnerability in the Google Chrome TweetDeck plugin, discovered by 19 year old Austrian programmer Florian AKA Firo.
I was tweeting about the HTML-heart-symbol (♥), because I didn’t knew, that this is possible. Florian said.
TweetDeck is not supposed to display this as an image. Because it’s simple Text, which should be escapted to “♥”. But in my Tweet I used the Unicode-character of the heart as a reference for my followers.
this whole things looked like this:there were 2 hearts. One was black (at the position where the ♥ was supposed to be) and one was red (this one was the Unicode-char and got replaced by TweetDeck)
Wer wusste, dass es das HTML Zeichen ♥ für ? gibt?
— Firo Xl (@firoxl) June 11, 2014
So, I started to played around, and discovered, that the Unicode-Heart (which gets replaced with an image by TweetDeck) somehow prevents the Tweet from being HTML-escaped. So I used a strong-HTML-tag to verify this (That’s that famous “I wounder if this works”-Tweet). It worked.
So I wrote a little Script which displays a Popup and then blocks it self. It worked.Ob das wohl funktioniert: <strong>Test</strong> ?
— Firo Xl (@firoxl) June 11, 2014
This is called XSS (Cross-Site-Scripting) and is very dangerous. No web developer should ever make this possible. TweetDeck did.
I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so.<script>if (!a) alert(“hihihi”);var a=true:</script> ?
— Firo Xl (@firoxl) June 11, 2014
And that was the point where I reported this to TweetDeck.
TweetDeck actually did not react in any way. Their next Tweet was saying that there is a security-issue and the users should log in again.
The vulnerability which now known to all via the news wires made it easier for other hackers who soon took advantage of it, including @derGeruhn who used the Vulnerability and tweeted a self Retweeting script which was Retweeted for more than 80K users.
<script class=”xss”>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>?
— *andy (@derGeruhn) June 11, 2014
The tweet also appeared on thousands of verified accounts which used TweetDeck application including the Twitter account of Katherine Vargas, the White House director of Hispanic media., BBC and CNN’s Twitter Accounts.
Tweetdeck’s response albeit late, came after the incident. It tweeted that the vulnerability has been fixed and the users need to logout of their tweetdeck account and login again to fully apply the fix. The problem still persisted because TweetDeck had to take down the service for an hour to apply the fix and recheck if its working..
A security issue that affected TweetDeck this morning has been fixed. Please log out of TweetDeck and log back in to fully apply the fix.
— TweetDeck (@TweetDeck) June 11, 2014
We’ve temporarily taken TweetDeck services down to assess today’s earlier security issue. We’ll update when services are back up.
— TweetDeck (@TweetDeck) June 11, 2014
We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014
While the whole story made Florian popular,some people also believed it was Florian who was behind the attack and he made the tweetdeck service unavailable. though it was TweetDeck themeselves who made the service down to fix the exploit..
Florian himself stated that ‘all this was a big accident’ and as of now, he was trying to help TweetDeck. It was he who reported the bug and said that he does not want any bounty for it.
The Tweetdeck service is working fine as of now and as reported by them, the patch has been applied for all.
"I was tweeting about the HTML-heart-symbol (?), because I didn't knew, that this is possible." For being such a "hacker" and all, you'd think he would use correct grammar.
1) Why would a hacker use correct grammar more than anyone else?<br />2) He's from Austria. How's your German?<br />