On the 11th of June 2014, this was released onto TweetDeck:
It is a script tag containing JQuery, which when executed in the browser, would automatically retweet itself without the users knowledge. Usually, Tweetdeck would have a filter on for this to convert every < and > into < and >
However, on the 11th of June 2014. this filter was turned off, which allowed XSS attacks like this to happen.
What the user would see
All the user would see is the red love heart, as the browser would automatically hide and execute anything inside the <script> tags. In this case, the code inside of the <script> tags only retweeted itself and then showed a message box saying “XSS in TweetDeck”, however the attacker could have done many things worse than that. He could have injected the victim with ransomware or even delete everything on TweetDeck. The possibilities are almost endless.
Any website that takes a user input (Whether it be usernames, questions or even random numbers) should never simply echo the user input back to the browser. Say for example the user puts this in their input: <b> – Everything on the page would turn bold, which would mess up the webpage.
Or let’s say that the user puts this in their input:
>window.location.href = "http://troyhunt.com/"<
The user would then get redirected to troyhunt.com.
The point is that not filtering out html tags in a user input can lead you seriously vulnerable to XSS attacks and could infect the people that visit your website with malware.
Apparently BBC Wales and BBC Breaking News was affected by this XSS attack aswell 😀
Also, if you want to know how the XSS attack worked in more detail, there is a YouTube video by Tom Scott here: