XSS and Twitter: The Self Retweeting Tweet

On the 11th of June 2014, this was released onto TweetDeck:

It is a script tag containing JQuery, which when executed in the browser, would automatically retweet itself without the users knowledge. Usually, Tweetdeck would have a filter on for this to convert every < and > into &lt; and &gt;

However, on the 11th of June 2014. this filter was turned off, which allowed XSS attacks like this to happen.

What the user would see

All the user would see is the red love heart, as the browser would automatically hide and execute anything inside the <script> tags. In this case, the code inside of the <script> tags only retweeted itself and then showed a message box saying “XSS in TweetDeck”, however the attacker could have done many things worse than that. He could have injected the victim with ransomware or even delete everything on TweetDeck. The possibilities are almost endless.

Summary

Any website that takes a user input (Whether it be usernames, questions or even random numbers) should never simply echo the user input back to the browser. Say for example the user puts this in their input: <b> – Everything on the page would turn bold, which would mess up the webpage.

Or let’s say that the user puts this in their input:

<script language=”JavaScript”>window.location.href = "http://troyhunt.com/"</script>

The user would then get redirected to troyhunt.com.

Final Summary

The point is that not filtering out html tags in a user input can lead you seriously vulnerable to XSS attacks and could infect the people that visit your website with malware.

Extra

Apparently BBC Wales and BBC Breaking News was affected by this XSS attack aswell 😀

Also, if you want to know how the XSS attack worked in more detail, there is a YouTube video by Tom Scott here:

20/09/2015

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s