TweetDeck wasn't actually hacked, and everyone was silly

TweetDeck wasn't actually hacked, and everyone was silly

Summary: Twitter's popular account management service TweetDeck got nailed by the public discovery of a cross-site scripting vulnerability that not only replicated itself, but managed to make the security issue into a hilarious comedy of errors.

TOPICS: Security

Twitter's popular account management service TweetDeck got nailed when a hacker discovered and announced a cross-site scripting (XSS) vulnerability, one which replicated itself and became a comedy of errors — and misreporting.

Twitter temporarily disabled TweetDeck, which it owns, until the issue was fixed, but much ridiculousness had already been unleashed by one Twitter user, an Austrian teenager calling himself "Firo," who told CNN on Wednesday he was just trying to tweet out a pink "heart" icon.

TweetDeck wasn't hacked. It was already broken

The important thing to understand is that Firo didn't "hack" TweetDeck. The bug has always been in TweetDeck, and he was simply the first to publicly point it out.

Some news outlets reported that TweetDeck was hacked, while others have reported that there was a TweetDeck worm — a standalone malware program.

But TweetDeck was already broken, and it had been all along. It's highly likely that this vulnerability has been exploited quietly by others until now.

While today's antics were harmless — though, embarrassing for some and inconvenient for others — other uses of this vulnerability until today were probably no so light-hearted.

The vulnerability allowed a TweetDeck user's Twitter timeline to tweet out JavaScript code that executed any prankster's messages as a pop-up dialog window, as well as replicating itself in retweets, which came with a little pink heart at the end.

Basically, TweetDeck's own Google Chrome browser plugin wasn't stripping out scripts that allowed a JavaScript execution. And as a result, over 83,000 Twitter users retweeted the script.

TweetDeck Hacked
The code that caused the spread of tweets in the first place. (Screenshot: ZDNet/CBS Interactive)

It also resulted in high-profile and verified accounts — estimated at 30,000 in total, including @NYTimes and @BBCBreaking — automatically retweet the bug, and so on.

Let the "lulz" begin

The opportunity for "lulz" was simply irresistible in security communities.

The hacker who started this mess told CNN that he notified Twitter immediately.

However, by tweeting his experiment with the XSS bug live, along with a note saying, ("Vulnerability discovered in TweetDeck. \ o /"), he had also essentially notified anyone who also saw his tweets.

Others used the bug to begin pranking Twitter users. Messages in the pop-up dialogue box included a reference to the RickRoll meme, saying "NEVER GOING TO GIVE YOU UP, NEVER GOING TO LET YOU DOWN" while others got "HACKED," or the classic body part reference seen below.


Some used it as an opportunity to warn TweetDeck users:

Many a truth was said in jest, some explained:

Some sarcastically chided powerful Twitter accounts for running their accounts on autopilot — which in this instance, turns out to be an irresponsible practice:

Rapid7's global strategist Trey Ford provided greater detail to Business Insider into the TweetDeck bug: 

"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet.

The current attack we’re seeing is a 'worm that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."

Twitter has resolved the issue and issued a patch, requesting that TweetDeck users log out and back in again to activate the fix.

Curious minds can investigate the diff below:

Correction, Friday, June 13: This article has been updated to cite Florian (aka Firo) as the hacker who found the JavaScript bug, and not *andy as previously stated. We regret any confusion this may hav caused.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Not hacked???

    So, TweetDeck was not hacked because the vulnerabilty already existed? By that logic, there is no such a thing as a hacker, because there must have been a vulerability or the "hacker" would have failed. Sounds like faulty logic to me. Arguably, the person who tries to hack software is a hacker regardless whether or not they succeed. I think what sets this incident apart is that it appears the infiltrator never had any intention of breaking in. They just happened to find the proverbial door unlocked and chose to enter and ransack the place.

    Explain to me again why this person was not a hacker?
    • Lifehacker is also full of hacks

      But that doesn't mean the company that owns the alarm clock I configured to blink yellow instead of green has been hacked. As an aside, if you sit there trying to make Gmail do little hearts instead of stars when you "star" an email, does that make you a hacker? And if you find a bug when you do it, does that mean you "hacked Google"?

      *andy is a hacker (I said he was in my article, by the way), and yes this is "a hack" -- in hindsight. *andy didn't have anything more than user-level access and he didn't do anything with what he found. We can talk all day about what could have been done with this, and that still doesn't add up to headlines stating a trusted company was hacked into or telling the public that a hacker is responsible for a TweetDeck worm (malware). It's easy for journos to write whatever they want about "kids" "hacking" things because they don't know what they're talking about, and neither do the public, which is exactly the problem here. Saying that "TweetDeck got hacked" is just wrong, especially insofar as the public is concerned because to the general public who thinks a hacker made TweetDeck harmful, that's misinformation. The point here is that TweetDeck was *already* harmful.

      (And it has been fixed.)

      TL;DR: A script kiddie found a JavaScript bug, but he didn't compromise TweetDeck or Twitter, Inc.

      See also:
      • Hacking damage

        With all due respect, Violet, he did DO something. What he did had the effect of shutting down TweetDeck for a few hours. If shutting things down is not a problem, why are the politicos and the media trying to hang NJ governor Christie over a bridge closure?
  • Yeah, that's a hack

    Perhaps there's no agreed-upon definition for the word, but I'd say that exploiting a vulnerability qualifies as a hack. It's not like real hackers insert vulnerabilities into code, they utilize them.
    • exploit definition

      1. (v) make full use of and derive benefit from (a resource).
      2. (n) a software tool designed to take advantage of a flaw in a computer system, typically for malicious purposes such as installing malware.

      so - there was no 'exploit' because no one benefited or have had intentions to benefit from this little scripting demo.
      • uh, this was an exploit

        He took advantage of a flaw in TweetDeck to add a heart. Not a large benefit, but one that he was after to begin with.
      • Ah, that makes more sense.

        Consider these:

        1. (n) a thing constituting a piece of evidence about the past, especially an account of an act or occurrence kept in writing or some other permanent form. an official report of the proceedings and judgment in a court. A number of related items of information that are handled as a unit.
        2. (n) the sum of the past achievements or actions of a person or organization; a person or thing's previous conduct or performance.
        3. (n) the best performance or most remarkable event of its kind that has been officially measured and noted.
        4. (n) a thin plastic disk carrying recorded sound, especially music, in grooves on each surface, for reproduction by a record player.
        synonyms: album, vinyl
        5. (v) set down in writing or some other permanent form for later reference, especially officially.
        "they were asked to keep a diary and record everything they ate or drank"
        synonyms: write down, put in writing, take down, note, make a note of, jot down, put down on paper; state or express publicly or officially; make an official record of.
        6. (v) convert (sound or a performance) into permanent form for later reproduction.

        So in the case of a record that might document a penultimate sporting achievement, or perhaps a court trial, is only a truly a record if it is thin and plastic?
  • hacked?

    The world is too crazy and insecure. Hackers can get very personal information that they need by hacking. Sometimes, they can even find out the password using special hack tools. It's worth mentioning that hack can be very useful in certain condition. A child of my neighborhood behaved erratically some time ago, her parents used Micro keylogger to get her FB password to find that someone was trying to tempt her into taking drugs. That is terrible.
  • Violet Blue, thank you for the story

    it is so well told, with so many details, and very well balanced.

    • Except

      Except for the fact that everything that has ever been hacked in the history of ever was hacked because someone took advantage of a preexisting flaw in software to make it do something it was not intended to do, most often, allow the user to do something beyond their privileges. In this case, they exploited a flaw that allowed them to tweet using other people's accounts. That is most certainly tweetdeck getting hacked. Nobody ever claimed that the company's servers were broken into or anything like that, but the application was, without even the slightest touch of uncertainty, hacked.
  • Technical details?

    Could someone explain to me what actually happened here? (Yes, I know what XSS is and how to properly encode HTML characters that normally have special meaning.) Is the heart icon at all related to the problem, or was Tweetdeck just not escaping script tags at all?
    • You got it

      You got it. They failed to stop the browser from executing arbitrary code that it got in tweets.