The last 24 hours have been a sad, scary and frustrating time for an 19-year-old aspiring programmer in Austria who found himself smack in the middle of Wednesday’s TweetDeck mess—all because of a Unicode heart.
Twitter’s real-time account dashboard was taken down for a brief time yesterday before a cross-site scripting vulnerability in the TweetDeck Chrome plug-in was properly addressed. But not before code exploiting the bug in a benign manner spread to Twitter users worldwide.
Ground zero for the incident was the Austrian teen who identified himself only as Florian to Threatpost. The youngster said things began yesterday when he tweeted out an HTML hearts symbol (&hearts) that was graphically displayed in the message.
“TweetDeck is not supposed to display this as an image, because it’s simple text, which should be escaped to “♥,” he said.
The message in fact displayed two hearts, indicating that the Unicode heart was preventing TweetDeck from escaping the HTML special character, Florian said. It was executing code automatically and likely was a cross-site scripting vulnerability.
“There were two hearts. One was black (at the position where the “♥” was supposed to be) and one was red (this one was the Unicode-character and got replaced by TweetDeck),” Florian explained. “So I started to play around, and discovered, that the Unicode-heart (which gets replaced with an image by TweetDeck) somehow prevents the Tweet from being HTML-escaped. So I used a Strong HTML tag to verify this. It worked.”
Florian said he wrote a script that displayed a pop-up and then blocked itself to confirm the vulnerability.
“This is called XSS (cross-site-scripting) and is very dangerous,” Florian said. “No web developer should ever make this possible. TweetDeck did.”
@TweetDeck You don’t escape HTML-chars if an unicode-char is in the tweet -text (eg. ♥ ). This allows XSS! <strong>FIX THAT!</strong>
— Firo Xl (@firoxl) June 11, 2014
He tweeted what he’d found to TweetDeck, which soon pushed out a fix, asking users to log out of the service and then log back in. The fix did not take, however, prompting TweetDeck to go offline for about an hour until it was resolved.
We’ve verified our security fix and have turned TweetDeck services back on for all users. Sorry for any inconvenience.
— TweetDeck (@TweetDeck) June 11, 2014
“I didn’t know that there is such a big problem. So I experimented with this in a public environment, there was no reason not to do so,” Florian said. “And that was the point where I reported this to TweetDeck.
“TweetDeck actually did not react in any way,” Florian said. “Their next Tweet was saying that there is a security-issue and the users should log in again.”
In the interim, a small worm was written by a Twitter user @derGeruhn that was retweeted automatically by tens of thousands of accounts.
“The last 24 hours? They were ‘unreal’ in a way,” Florian said. The teen spent much of the day defending himself against people calling him a hacker and taking turns applauding and criticizing his actions. “At first it was very annoying because people do not [understand] that I haven’t hacked and shut down TweetDeck, but they did themselves.”
Cross-site scripting is one of the most common and dangerous web application vulnerabilities, putting users at risk for serious compromises. In the case of the TweetDeck exploit, an attacker could take over a user’s account, post or delete tweets or deface the account.
Cross-site scripting occurs when attackers are able to inject code into webpages or web-based services that can automatically be executed by a user’s browser. Hackers successfully executing a cross-site scripting attack can remotely inject code client-side, leading to data loss or service interruption.
“This vulnerability very specifically renders a tweet as code in the browser, allowing various cross site scripting (XSS) attacks to be run by simply viewing a tweet,” said Trey Ford, global security strategist at Rapid7 yesterday in a statement. “The current attack we’re seeing is a ‘worm’ that self-replicates by creating malicious tweets.”