XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.

 

I was first alerted when I got this pop-up :

Capture22

My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.

 

I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^

https://twitter.com/firoxl/status/476738843841159168

Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :

https://twitter.com/TweetDeck/status/476763638695743489

Capture55

Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !

 

Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.

 

 The FIX :

Log out of Tweetdeck – log back in again !

 

 

 

About these ads

15 thoughts on “XSS and Tweetdeck and the person behind the discovery

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s