So XSS appears to be back in Tweetdeck.
I was first alerted when I got this pop-up :
My initial reaction was to ask out on Twitter – then I noticed it … every time there was a love heart in someone’s tweet I got a pop-up telling me there was an XSS in Tweetdeck.
I did a quick search to try and find the first reference of XSS and Tweetdeck and found https://twitter.com/pixeldesu/status/476744509783822337
After a quick dialogue and a few names .. there it was :
I had a brief chat with @firoxl and it appears that the bug was discovered by accident.
It actually was some sort of accident. ^^
I was using TweetDeck, suddenly there were 2 hearts.
I made some experiments and discovered that TweetDeck doesn’t escape HTML-chars if there is that Heart in the tweet.
As with all great discoveries – they were done by accident.
At the time of writing, Tweetdeck has now fixed the issue :
Where could it have gone to ?
Well – Firo speculates “someone could load some external js-code and build a computer-worm which takes over the accounts of many people… there are many ways this issue can be used to harm someone…”
And there you have it 3:52pm to 5:31pm – bug identified, replicated, proven, fixed and rolled out – not a bad issue fix in the grand scheme of things !
Many thanks to everyone who was involved in the making of this blog – especially Firo XI, kudos for helping out.
The FIX :
Log out of Tweetdeck – log back in again !