XSS and Tweetdeck and the person behind the discovery

So XSS appears to be back in Tweetdeck.


I was first alerted when I got this pop-up :


My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.


I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337

After a quick dialogue and a few names .. there it was :

Capture 33

I had a brief chat with @firoxl and it appears that the bug was discovered by accident.

It actually was some sort of accident. ^^


Capture 44

I was using TweetDeck, suddenly there were 2 hearts.

I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.

As with all great discoveries – they were done by accident.

At the time of writing, Tweetdeck has now fixed the issue :



Where could it have gone to ?

Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”

And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !


Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.


 The FIX :

Log out of Tweetdeck – log back in again !




15 thoughts on “XSS and Tweetdeck and the person behind the discovery

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s