Earlier today, a tweet caused significant trouble and ire among TweetDeck users. It didn’t look like your average tweet:
<script class="xss">$('.xss').parents().eq(1).find('a').eq(1).click();$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥
— *arrrrndy (@derGeruhn) June 11, 2014
Users didn’t even have to click on the tweet. Just the act of viewing the tweet would cause the user to automatically retweet it. As a result, the message was seen and retweeted all over Twitter, in some cases over ten thousand times. But how could one tweet cause such devastation? The details lie in the code.
Cross-Site Scripting 101
First of all what is cross-site scripting? XSS, as it’s commonly abbreviated, is a weakness in the design of a website that allows hackers to insert malicious code into a web page or application, altering the intended operation of the service. It’s a common concern among web developers to prevent such attacks.
That little bit of code in between
A well-secured web service would never allow such code to perform malicious actions. Behind the scenes, all text that goes through the web server gets sanitized so that it is simply displayed as text and not run like a script. Unfortunately for TweetDeck, its engineers forgot to vaccinate such tweets, allowing scripts to run inside a tweet instead of displaying as benign text.
Taking apart the code
If you were on TweetDeck, all you would have seen is the heart symbol, because the script doesn’t display its own code. However, viewing the tweet on Twitter reveals the script’s code.
Let’s examine the code inside this tweet. First of all, it’s all on one line to fit within Twitter’s 140 character limit. Let’s make it more readable, by adding line breaks and spacing. Don’t worry, this does not affect the functionality of the code in any way.
$( '.xss' ).parents().eq( 1 ) .find( 'a' ).eq( 1 ).click(); $( '[data-action=retweet]' ).click(); alert( 'XSS in Tweetdeck' )
The first line of code calls the
<script class="xss"> bit in the tweet, then
.parents().eq(1) references the displayed tweet. In the second line,
.find('a').eq(1) finds the retweet link, and
.click() simulates a click just as if you had clicked it yourself. On TweetDeck, hitting the retweet button brings up this window:
Examining the web page source, this code defines the blue Retweet button:
<button data-action="retweet" class="js-action-button js-retweet-button btn btn-positive">Retweet</button>
data attribute, and again, simulates a click with
click(). Because all of this script runs automatically, you’ve just unwillingly retweeted the tweet without even moving your mouse.
But wait, there’s one more line.
alert( ... ) simply displays a conspicuous message in your browser (some browsers, a popup) that says “XSS in Tweetdeck”. It’s just an extra line of code to let users know of the script’s presence, and was not part of the reason why almost eighty-thousand users “
Why didn’t it work in [insert name of app here]?
Also, Twitter patched the vulnerability fairly quickly. Kudos to them!