It was 3pm GMT when a 19-year-old Austrian nicknamed Firo was sending a tweet. There were millions of us tweeting too and his actions were not unusual. As he typed his tweet, he inserted a heart character and noticed that two appeared. Curiosity got the better of him and he started playing with his tweet. His discovery was that he could insert code into his tweet and yet it was only showing his love heart.
The thing about Twitter is that it attracts like-minded individuals together. When Firo’s followers received his tweet in Tweetdeck, they got a pop-up box with some text in it. When they re-tweeted it, so did their followers and so we see an initial growth. Firo knows computing, his friends know computing too and their circles are all in the same areas. After 30 minutes, the UK was receiving these curious messages and word was out…
XSS in Tweetdeck
When the tinkerers saw what they could do with simple script, they had a field day sending funny messages over Twitter. As the Tweets grew, so did the curiosity, Firo was past playing with the bug and the message was spreading. Within 2 hours, Tweetdeck was almost becoming a ghost town as the message sank in…
There is an XSS in Tweetdeck
– this is serious.
We shut it down, un-linked our Twitter accounts. Two hours after the initial finding of the bug, the users were savvy enough to understand its severity and was protecting itself.
Shortly after this was where we saw the self a propagating tweet. Using the same framework, it gave you the pop-up message but you automatically re-tweeted it. When this variant hit the BBC breaking site, 10.1 million followers received that tweet. Any using Tweetdeck automatically re-tweeted it. This was now a dangerous game and Tweetdeck pulled the plug.
A wise move by all accounts, had it been allowed to proliferate, Twitter could have fast become overrun and more harmful code code have been injected into a Tweet. Fingers were pointed to bad programming, the Twitter takeover and yes, I dare say the Governments probably got a finger pointed or two.
Bugs exist in code because we write code. Humans write code. We are not perfect. Bugs are found every day, some are low impact and some critical. A bug is simple to introduce by accident and can lay in some cases for over a decade (OpenSSL).
Firo did no wrong, he is a good definition of a hacker, he got curious and worked out what it could do. The media should not demonify him for his actions, in the same way Codenomicon should not be demonified for finding HeartBleed. Firo is a hacker. The media should learn that this is a good thing. He is not a criminal. Someone who finds bugs and has the intent to cause harm is a criminal. We need to separate these terms and this is a perfect opportunity.
Well done to the hacker Firo for finding this bug even if it was by accident (as most great discoveries are!).
We must also applaud Tweetdeck for such a fantastic and speedy resolution to the bug fix. I have no idea how many thousand lines of code they had to go through, but they did and they fix it.
I wonder what the next bug will be that is found today ?
I wonder if it will be in an 90s game that if you press IDDQD, IDKFA, IDCLIP ……..