3

How exactly did the recent TweetDeck vulnerability work? It says here that it had something to do with the HTML heart character but I don't fully understand what the explanation means. From the link:

" I was tweeting about the HTML-heart-symbol (♥), because I didn't know that this is possible," He told The Register in response to questions via email.

TweetDeck is not supposed to display this as an image. Because it's simple text, which should be escaped to '♥'. But in my tweet I used the Unicode-character of the heart as a reference for my followers.

There were two hearts. One was black (at the position where the ♥ was supposed to be) and one was red (this one was the Unicode-char and got replaced by TweetDeck).

So, I started to play around, and discovered, that the Unicode-Heart (which gets replaced with an image by TweetDeck) somehow prevents the tweet from being HTML-escaped. So I used a strong-HTML-tag to verify this ... It worked.

So I wrote a little script which displays a popup and then blocks itself. It worked."

What exactly was the attack vector here? And how did it "somehow prevent the tweet from being HTML-escaped"?

Anders
  • 64,406
  • 24
  • 178
  • 215
Eels
  • 213
  • 2
  • 7
  • Google searches produced the following example: http://blog.sucuri.net/2014/06/serious-cross-site-scripting-vulnerability-in-tweetdeck-twitter.html – schroeder Jun 19 '14 at 19:13
  • and this: http://readwrite.com/2014/06/11/xss-explained-tweetdeck-vulnerability#awesm=~oHF0l34r1Lgs8V – schroeder Jun 19 '14 at 19:15
  • thanks .. i do understand how XSS works .. i am more interested in understanding what exactly the attack vector was .. i guess i should edit the question to say so .. – Eels Jun 19 '14 at 20:06
  • 1
    http://g-liu.com/blog/2014/06/how-tweetdeck-got-hacked-the-non-technical-answer/ - kindly check if this helps. – user917279 Aug 05 '14 at 10:44
  • hi .. thanks a lot .. this explains it pretty neatly .. if you could enter your comment as an answer, i'll mark it as correct .. – Eels Aug 17 '14 at 00:58

1 Answers1

1

This attack worked for a very simple reason - TweetDeck did not sanitize the user input at all under some circumstances. The attacker did not discovered a clever way to fool the XSS filter. Instead he found a a way to turn it off. As your quote says:

So, I started to play around, and discovered, that the Unicode-Heart (which gets replaced with an image by TweetDeck) somehow prevents the tweet from being HTML-escaped.

Apart from the obvious fact that the person who wrote the code was not very good at his or her job, we can only speculate why a unicode heart would turn the filter off. My guess is that they wanted to render the heart with an <img> tag, and that the tag got caught in their own filter. So they did an easy solution and just turned the filter off when they needed to insert HTML into a tweet.

But that is just a guess. To know for sure you would have to ask them, and I doubt they would answer.

So all he needed to do after the discovery was to write some JavaScript to do the automatic retweeting, slap a heart at the end, and tweet it. If you have enough followers who are using TweetDeck, it will spread by itself from there.

Some good non-technical explanations:

Anders
  • 64,406
  • 24
  • 178
  • 215