Thoughts Web & User Interaction Previous Thought Next Thought

Twitter XSS Hack

Tweetdeck was attacked by an interesting little hack. Annoying, but not a big deal. Also interesting to codeheads.


It plays out like so… Someone you follow appears to tweet a bit of code garble. This tweet then appears in your Tweetdeck feed. By appearing, the garble of code runs on your computer resulting in it being retweet from your account.

Much of the functionality of Tweetdeck is powered by Javascript. It is a language that is responsible for much of the interactivity of the modern web. Allowing users to add Javascript code to their tweets is dangerous in that they can change or hijack the way a web app works if their tweet appears on a page. This could result in pages that appear not to load, become unresponsive, a users browser taking a large amount of system resources causing the program/computer to crash, or any other number of annoying things.

The result of the Tweetdeck hack is now Tweetdeck is offline for repairs and its users are forced to twitter.com to share photos of their pancakes. Annoying but not a big deal.

Gritty Technical Details
Written using jQuery (a Javascript library used by Tweetdeck), the tweet embeds itself in a script tag (like embedding javascript inline on a page) and then runs. It then looks at the parents of the .xss div, gets the 2nd link in the xss div, and triggers a click on it (as if you clicked the link). It then finds the url with the data-action=”retweet” attribute and fires a click event on it. From the browser perspective, you now have just retweet the tweet. The final bit triggers an alert which informs you of what has just happened.

For the nerds, the tweet containing the contents of the hack is below:

<script>$(‘.xss’).parents().eq(1).find(‘a’).eq(1).click();$(‘[data-action=retweet]’).click();alert(‘XSS in Tweetdeck’)</script>

Avatar

Philip Joyner

Not only can the man stare down CSS code until it writes itself in sheer terror, but he is famous around 220 E. Hall St for what we like to call his “happy dance”. Few have seen it, and those who have can’t get enough.

Comments

Share