XSS Tutorial #7 – Twitter’s Tweet Deck XSS (June 2014)
Articles Blog

XSS Tutorial #7 – Twitter’s Tweet Deck XSS (June 2014)


Welcome to XSS Tutorial #7 : Twitter’s Tweetdeck
XSS june 2014 In this video we will be talking about the
cross site scripting attack that hit twitter in june of 2014. Every video will have all slideshows and code
avialable in the description. –
So what happened? The morning of June 11, Twitter applied a revamp to the user interface
of it’s web application Tweetdeck. Tweetdeck is a
tool that allows you to easily manage twitter accounts,
giving several layout and customization of multiple streams.
A few hours after the release of the update a self retweeting tweet was posted. Retweeting
itself by anyone using tweetdeck that saw it. Booming
up to 81k retweets in just a few hours. Having over millions of people see it. –
Now, how did this happen? It’s suspected that after rebuilding the user interface the developers
of the tweet layout forgot to HTML encode the tweets coming from
the database. This means the script was being left to execute on tweetdeck
for anyone who saw it. However luckily, did not affect regular users of the twitter website.
Only Tweetdeck users. –
Let’s have a look at all of the code. Yup this is it. Twitter has a 140 character
limit to posts, so to keep the character count of the code down it was
written with the aid of Jquery. Jquery is a javascript library that add’s some new syntax
for finding and interacting with tag elements. –
Alright let’s step through how the code works. First the all familiar script tag. However
this time when it’s opened it’s given the class name xss. This will come in
handly in the next line of code. Then we have the closing script tag. If you left this off
you would probably mess up the whole page for anyone who would view it.
which would get you in big trouble. There was even enough left over room to place
a unicode heart at the end of the tweet. –
Alright here is the first line of the script. First Using the Jquery dollar sign to select
any element on the page with the class xss. You will remember this script
was given the class name xss. Then get a list of all the parent tags the
encase this class. so this will be things such as the text area of the tweet,
the whole tweet box, the tweet frame, then the tweet stream etc.
Then we retieve the second parent tag, remember array’s and lists start from 0. so 1 is the
second element. Then find a list of all the a tags inside
this parent tag. which will be the reply button, retweet button,
favorite button and more button. We then want to retrieve the second link,
which again counting from 0 is the retweet button.
Then we click it. –
Now let’s move on to the second line of the script.
This one is much shorter. First using Jquery again to select any element
on the page, this time with an attribute data-action=retweet. This happens to
be the pop up box asking if you are sure you want to retweet.
Then we click it. Done! Retweeted. –
The final line of the script is as i am sure you are familiar with by now the alert XSS
in tweetdeck. Making a pop up dialog box saying XSS in Tweetdeck. –
Alright! That’s it for the cross site scripting tutorial!
I hope you enjoyed it, let me know in the comments!
I’ll also leave a link to the self retweeting tweet in the description.
Don’t worry it’s harmless now. If you have any questions, leave it in the
comments and i’ll try to answer it as best as possible! Don’t forget to Subscribe.
Thanks for watching.

16 thoughts on “XSS Tutorial #7 – Twitter’s Tweet Deck XSS (June 2014)

  1. i need to insert java script to gmail and run it … HOW ?
    i can run HTML in gmail but the Javascript parts automatically are deleted …

  2. If i have a textbox limited to a short amount of characters how/can i change that? I can't just inspect element and change maxlength on the DOM element… There is a script or something checking the length.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top