TweetDeck wasn't actually hacked, and everyone was silly

Twitter's popular account management service TweetDeck got nailed by the public discovery of a cross-site scripting vulnerability that not only replicated itself, but managed to make the security issue into a hilarious comedy of errors.
Written by Violet Blue, Contributor

Twitter's popular account management service TweetDeck got nailed when a hacker discovered and announced a cross-site scripting (XSS) vulnerability, one which replicated itself and became a comedy of errors — and misreporting.

Twitter temporarily disabled TweetDeck, which it owns, until the issue was fixed, but much ridiculousness had already been unleashed by one Twitter user, an Austrian teenager calling himself "Firo," who told CNN on Wednesday he was just trying to tweet out a pink "heart" icon.

TweetDeck wasn't hacked. It was already broken

The important thing to understand is that Firo didn't "hack" TweetDeck. The bug has always been in TweetDeck, and he was simply the first to publicly point it out.

Some news outlets reported that TweetDeck was hacked, while others have reported that there was a TweetDeck worm — a standalone malware program.

But TweetDeck was already broken, and it had been all along. It's highly likely that this vulnerability has been exploited quietly by others until now.

While today's antics were harmless — though, embarrassing for some and inconvenient for others — other uses of this vulnerability until today were probably no so light-hearted.

The vulnerability allowed a TweetDeck user's Twitter timeline to tweet out JavaScript code that executed any prankster's messages as a pop-up dialog window, as well as replicating itself in retweets, which came with a little pink heart at the end.

Basically, TweetDeck's own Google Chrome browser plugin wasn't stripping out scripts that allowed a JavaScript execution. And as a result, over 83,000 Twitter users retweeted the script.

TweetDeck Hacked
The code that caused the spread of tweets in the first place. (Screenshot: ZDNet/CBS Interactive)

It also resulted in high-profile and verified accounts — estimated at 30,000 in total, including @NYTimes and @BBCBreaking — automatically retweet the bug, and so on.

Let the "lulz" begin

The opportunity for "lulz" was simply irresistible in security communities.

The hacker who started this mess told CNN that he notified Twitter immediately.

However, by tweeting his experiment with the XSS bug live, along with a note saying, ("Vulnerability discovered in TweetDeck. \ o /"), he had also essentially notified anyone who also saw his tweets.

Others used the bug to begin pranking Twitter users. Messages in the pop-up dialogue box included a reference to the RickRoll meme, saying "NEVER GOING TO GIVE YOU UP, NEVER GOING TO LET YOU DOWN" while others got "HACKED," or the classic body part reference seen below.


Some used it as an opportunity to warn TweetDeck users:

Many a truth was said in jest, some explained:

Some sarcastically chided powerful Twitter accounts for running their accounts on autopilot — which in this instance, turns out to be an irresponsible practice:

Rapid7's global strategist Trey Ford provided greater detail to Business Insider into the TweetDeck bug: 

"This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet.

The current attack we’re seeing is a 'worm that self-replicates by creating malicious tweets. It looks like this primarily affects users of the Tweetdeck plugin for Google Chrome."

Twitter has resolved the issue and issued a patch, requesting that TweetDeck users log out and back in again to activate the fix.

Curious minds can investigate the diff below:

Correction, Friday, June 13: This article has been updated to cite Florian (aka Firo) as the hacker who found the JavaScript bug, and not *andy as previously stated. We regret any confusion this may hav caused.

Editorial standards