The auto-RT Tweet
How the tweet exploited XSS Tweetdeck’s vulnerability.
At 18:36 of June 11th, 2014 @derGeruhn tweeted this:
In less than an hour it was RTed more than 38k times, exploiting a Cross-site-scripting bug discovered in Tweetdeck few minutes earlier. Let’s have a look at how it works.
It’s basically a small JavaScript code using the jQuery library — beacause of Tweetdeck is nothing than a webpage, every item on the view is an HTML element.
So the tweet — which have been executed and not displayed as plain text — created a <script> tag inside the window and gave itself the class xss. Than it told the script to — try to imagine like a virtual mouse pointer going around on the page:
- find the HTML tag whit the class xss — which is the script container, it uses itself as “starting point”: $(‘.xss’)
- get the second ancestors of the <script> tag: parents().eq(1) — counting starts from zero
- click on the second HTML <a> tag, which is a link, in this case the RT button: find(‘a’).eq(1).click(); Right now, you are on the pop-up where you choose RT or Quote
- click on the RT button, which is identified with attribute data-action=retweet: $(‘[data-action=retweet]’).click();
- Show the message in a pop-up window “XSS in Tweetdeck” via alert() JS function.
- The heart ❤ is the only content you actually can see in the tweet if you’re using a bugged version of Tweetdeck.