How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter
Vložit
- čas přidán 29. 08. 2024
- tomscott.com - / tomscott - It should never have happened. Defending against cross-site scripting (XSS) attacks is Web Security 101. And yet, today, there was a self-retweeting tweet that hit a heck of a lot of people - anyone using Tweetdeck, Twitter's "professional" client. How did it work? Time to break down the code. (Remember the old Myspace worms? They worked the same way.)
THE SELF-RETWEETING TWEET: / 476764918763749376
7 years later, the creator's account is still around, and this is his pinned tweet
Awesome
What a flex
why shouldn't it be
If it is removed, the market will crash.... OooOoooOoooOoo... But I think some bigger sandboxes have been created now, hasn't it ? We can relax.
He outlived Twitter
"I'm simplifying massively, here..." is Tom's catch-phrase.
Tom thinks we're dumb. (and he's correct)
*_-why-_*
"So today we're talking about the physics of a swing set and *im simplifying massively here* ..."
Nah it’s definitely “AND it works!”
ON MERCH
What I find so hilarious about this they could've done anything. This gave the initial tweeter the power to log into any Twitter account using Tweetdeck in the world, send every twitter user to a website for ad-revenue, show an ad, do literally anything. No, they made it retweet itself because it would be funny.
They made the tweet as a warning to the Devs, and didn't want to do anything malicious
Anything as long as it fit into 140 characters
@@__8120 linking an external script wouldn't have that constraint, could've written a novel.
That’s being a responsible programmer. An experienced coder has the power to potentially cause a LOT of damage, but it’s the ability to decide whether or not to do the right thing with said knowledge which is important. They did the (almost) right thing and disclosed the bug in a mostly non-destructive way. It’s the whole “just because you can doesn’t mean you should” argument.
TL;DR - Not all programmers are dicks who want to break everything!
@@__8120 No you can just do
It looks like this guy made the code as a warning to the devs to fix it, and not malicious.
It did not happen in this case it seems, but even when it is non-malicious sometimes they still try to punish you.
the problem is, someone experienced who sees this might do a haarmful tweet just like this, before twitter shuts the feature down. I'd still do it for the fun of it though
@@JulzDrogenstube Right, but that's exactly why this tweet needed to be made. If Andy never made the tweet and twitter didn't know about it, then someone could've done something malicious. Security through obscurity does not work
@@JesusMowsMaLawn A call/email/message to twitter support could have been made. That way the cybersecurity team could have fixed it privately. Publicly exploiting the bug could have attracted people with malintent.
@@58book Nine times out of ten they just ignore your message. With this tweet, they were forced to fix it immediately, hopefully before anything malicious could be done
Obviously I'm not going to say if it was objectively right or wrong, because I'm not the judge of that, but I personally feel that this was justified
the heart emoji was actually necessary because it took advantage of how that unicode was processed by tweetdeck at the time
how so?
@@thaichicken0210 Tweetdeck did sanitize user input except for a bug with emoji that broke the sanitation.
Without the emoji the XSS didn't work.
@@thaichicken0210 from the author: "The ❤ was one of the UTF8 characters that got an visual upgrade that day. Before the update it would've displayed in the same font & color as the rest of the tweet. With the released update it was turned into an inline image. To display that HTML code was allowed within a tweet"
"find the parents" ...
I've been trying
I was just out grabbing some beer for 13 years ago. Relax, kid. Jesus.
That's.. Deep
Rumors say he's still looking to this day.
Oof
Uuf
You know, if you think about it, this probably wasn't done with any malicious intent. The guy probably read the changelog for the emoji update, noticed the massive security hole it caused, and because a report to Tweetdeck's developers would take very long to notice or get a response (and in that time somebody could do something truly problematic with it), he made it incredibly and immediately noticeable with a completely innocuous script. What a nice guy!
***** Rather this than something that shows a fake login form or secretly mines your data
didn't the guy get like 5 years in prison or something like that for this?
since the account has still been tweeting since (and the tweet itself wasn't even so much as removed) i doubt it.
white hat+illegal stuff = grey hat
good intention then he is a nice guy :)
@92Dups would YOU want someone rummaging around with your websites code with no idea on there intent?
->doesn't sanitize user input
->something bad happens
->surprised magic cat face
Ik u didn't ask but I'm taking gcse computer science and the fact that I understood this comment makes me really happy, thanks
@@chy4e431
That's called sanitazation.
@@chy4e431 sanitizing user input means replecing special characters with escape sequences, such as
'
Mrs. Roberts would be proud.
did you just call pikachu a magic cat?
I swear Tom Scott is that cool subsitute teacher you never got Edit: thanks for all of the likes! I never imagined that I would get so much attention.
Jacob JP nevernevernevernevernevernevernever
Never
substitute*
"cool"
I got those before. One was a jeopardy champion.
I'm happy he didn't use it for something malicious.
It's kinda sad he didn't make it retweet something offensive about a politician.
All modern politicians are offensive enough on their own, there's no more that it could have done.
Just follow a politician on Twitter if you feel like reading some obnoxious tweets. There are some really stupid people out there.
I know him, he's a nice guy and very friendly :)
@MikatGaming yes, if the website or app is not properly protected from it. That script would most likely be longer than the maximum allowed characters though.
I ADORE how Tom talks about big scale companies like the Lockpicking lawyer talks about lock designers
Ok?
@@emilianozamora399 Watch LPL and you'll understand.
fellow LPL watcher here
Just gonna point out that TweetDeck *did* sanitize their user input usually, but in this one case, the emoji broke something inside of TweetDeck's sanitation software, and so the script was rendered as a true script tag. There are often bugs like this, where in some edge case, the "safeties" are accidentally turned off, and a lot of cyber attacks revolve around finding these bugs, and exploiting them.
Hey, what is that flag in your profile picture?
@@oscarpetersson5324 Anarcho-Texas.
@@109Rage oh, thanks
Under anarchism you'd be dying of typhoid under a rock.
@@PwnZombie under capitalism, you instead >checks notes<
die of starvation before having to worry about typhoid.
Despite being an attack and all (and the fact he could have just sent a request for a longer script), kudos to him for programming a retweeting tweet that could fit in 140 characters!
He could've just linked to an external script
sundhaug92 *cough*(and the fact he could have just sent a request for a longer script)*cough*
Mckenna Cisler
Very true, I'm actually just impressed he managed to do that
*what*
I don't believe his intentions were malicious I believe he was just pointing out an error in a way someone who isn't being paid to do so should.
"It should nevernevernevernevernevernever be turned off" *everyone tries code like CZcams forgot that never^6*
I think i just had a stroke while trying to read that.
Or you could not because its a felony to even attempt it
TIMΞ СнΛИGΣ which law exactly? Because there are very few things that are illegal to even attempt that aren’t just a separate crime.
@@wolbobus2130 Lmao, I was starting to get angry at myself for not understanding
2014: _"Some fairly significant disruption to what has unbelievably become an important part of how the world communicates. Worrying, isn't it?"_
2021: This is one of the LEAST worrying things about Twitter.
2022: It Got Worse!
@@antfarmer2227 now: it got *even* worse
@@silasunger 🤣😂
@@toludaree I see you folks are staying warm watching the dumpster fire too... 😂
@@southernflatland how much worse can it get? we'll find out :p
Additional technical note: At 5:21, the closing script tag isn't optional as he is sorta implying. It is required for the attack to work, otherwise the rest of the page would also be inside the script tag and it would ruin both the attack and the web page :)
The biggest and most important detail of this bug is that whatever they used to parse unicode emoji into pictures accidentally made the rest of the tweet get read as HTML. The heart was the most crucial part of that tweet.
People in the comments trying out as if filtering out XSS isn’t cyber security 101 level stuff.
Tfw you forget the video revolves around someone forgetting that 101.
It should nevah evah evah evah evah evah evah evah evah happen
-test-
*what do you mean by that?*
I mean, making everything bold is harmless.
Andy's profile picture and tweet still exist on Twitter. He's changed his profile picture to a different Fluttershy, even.
oof where
i know this comment is dead, but link in description to self-retweeting tweet
Hi
a flutter- what?
@@zyugyzarc the yellow pegasus pictured is named Fluttershy. Also, the tweet is still up four years later.
Up next: The self-liking CZcams video.
please do that
Well someone did make a CZcams video that knows it’s own url
@@inactive6200 thats very easy though..multiple people have done it years ago and it's not an exploit
I hate your pfp
Master I hate u
"worrying isn't it?"
*starts grinning*
That's what we call chaotic neutral
suspicous of him
**Hello**
What a nice guy to not do anything malicious with this knowledge. He specifically did a harmless thing instead of querying usernames and injecting stuff to release password hashes. A really nice guy and deserving of recognition.
he was also.a brony :)
SomeEnglishGames Shows us #NotAllBronies are horrible people, doesn't it?
Nikolas Powell Yup
That's a marvellous little bit of code... Simple but elegant in its execution :)
Why do I use marvelous (not marvellous) but also cancelled (not canceled) ?
It's also jQuery, and it sucks :D
(I'm kidding, it has its uses, but I like to avoid it)
With plane JS, the code wouldn't run on twitter xD
A simple spelly,yet quite unbreakable.
Despite several attempts,methods,techniques & even the people pretending to be hackers I've encountered,i was finally refereed to this hacker on Instagram who finally gave me all i wanted from my partners mobile phone.If you are in the same shoe as me,i'm referring you to his Instagram page for help[@elitecoding007]..
I've never seen Tom so angry, seriously.
You should check out some of his Computerphile videos, like timezones, internationalis(z)ation, and electronic voting. Those are the rants of the century.
I’ve read him that angry, certainly.
Really shouldn’t have sent him that email.
To those wondering whether I’m joking, I’m not. I REALLY should not have sent him that email
@@extrahourinthepit ???????????
Google Cendrum Yep, the email was of bad character
I don't really understand what we're talking about here, but I know that the filter should never ever ever ever ever EVER have been off.
yep never ever ever ever ever EVER turned off
That guy, the one who made the self-retweeting tweet was awfully nice, with the abilty to run a script in your browser he could have redirected you to an add, or even place it on your page and make tons of money, or make you download a virus, or anything else they wanted. Note:those or are the mathematical one, not the normal one.
@maskyschannel dang, i know, because its totally false. modern js parsers are better than that, with all the exploits fixed
not anything else, bc javascript is a limited language
Despite several attempts,methods,techniques & even the people pretending to be hackers I've encountered,i was finally refereed to this hacker on Instagram who finally gave me all i wanted from my partners mobile phone.If you are in the same shoe as me,i'm referring you to his Instagram page for help[@elitecoding007].
@@danlarkman2450 referees? Shoes? My word association algorithm thinks you're looking for soccer cleats. Is this correct? Oh, no, you don't wear shoes, because you're a bot
5 years later and CZcams is finally recommending me this.
*6
@@Salzui it was 5 for them, 6 for us
I like how he's so into what hes saying lol "you shoudn't ever ever ever everrr..."
He explains so well, really good job man! Keep up your perfect work :)
A very good and easy to understand explanation of XSS. Very worthwhile watching. Keep up the good work.
The explanation of XSS should be credited to the person who wrote the tweet. That was their purpose.
tom isn't angry, he's just disappointed.
❤️
❤️
🖕
Spectrum 🖕
❤️
astro -test-
Doing the math, working off the screenshot from the BBC Twitter at 0:18, that tweet got roughly 108 retweets per second on average. I'm sure the actual rate was exponential and not linear, but that's still devastatingly impressive.
"jQuery ... and it works!"
yo citation needed on that one because jquery has done it's best to disprove that statement.
beauty
There are two versions of jQuery - the current version, and vulnerable versions.
And the current version is also vulnerable - we'll find out how in, say, two weeks.
With all ES6 and ES7 additions, there is currently no reason to use JQuery at all. Except if someone actually enjoys its counterproductive syntax that violates all OO-languages (which JS actually is) principles.
@@Asdayasman plus there's jquery-latest which hasn't been up-to-date in years, because people were abusing it.
@@TheLukasz032 While I agree that JQuery should be discarded from maintained projects and never included into new projects, I disagree with your implication that "OO" means "better".
AFAIK, the heart was mandatory for the injection to work.
Emoji support was added to Tweetdeck only two days ago, which they managed to screw up by not processing them safely. Without the heart emoji stuck on after the closing script tag, the tweet would have been sanitised and all would have been well.
As a guy who's just learning about JavaScript this video was recommended at the perfect time
Neverevereverevereverever
- Tom Scott
4:49
Tom Scott stand cry
I don't know if you're still making them, but I am a linguistics enthusiast and I have to say your videos on that topic are ABSOLUTELY BRILLIANT. Seriously they're amazing.
Cheers.
So anybody who looked at the tweet retweeted it?
Yes.
It's a shame that you can only tweet 140 characters otherwise he could have done a lot more!
***** The thing is, you can do a lot more: you only need about twenty characters to embed an external script file hosted elsewhere. That file can be as long as you like, as long as the hosting's up to it...
They could have had it retweet an advert and wrote @justinbieber @ pewdiepie
Though, most browsers have something called the same-origin policy, which will automatically block any attempts to load an external javascript file from a different domain than the page you're on. Typically the best you'll get out of an XSS attack these days is unfiltered input from a form, or from the URL string (a "reflected" vulnerability), or if you're lucky, you'll find a situation like the one in the video where you save your malicious code on the server, and it's loaded up even on simple pages, and neither when you save it, nor when you load it does it filter out risky characters (a "persistent" vulnerability)
Breaking Twitter while decked out in a fancy little Fluttershy profile pic,
Just for everyone here trying to use HTML in their comments, etc. doesn't work in the comments. You need to use Google's tags
*Bold* - put * either side of the text
_Italics_ - put _ either side of the text
-Strikethrough- - put - either side of the text
*test* _test_ -test-
it worked, thanks! :D
Jan Dusek
Np ;)
*Np ;)*
_Np ;)_
-NP ;)-
-test-
AirCommando12 *test*
-test-
I'm pretty happy to see that *andy was apparently not banned and is actually still actively tweeting. They also link followers to your video for explanation which is nice.
“Im oversimplifying here”
“never ever EVER”
“Well done (insert name here)”
never EVER EVER EVA EVAAAAA
GETTING BACK TOGETHER
-Paintspot Infez
Wasabi!
Like if you agree
Reply if you've heard of me
Fo eva? For eva eva?
I came back now, 6 years later and now I'm able to analyze all of this by myself. I sure learned lots about HTML, JavaScript etc
Welcome to the team
Hahaha, same here. I had watched this video before but didn't understand it much. Now that I have learned HTML, JS and much more, I can understand it all.
Sanatizing outputs is actually so tedious as you need to do it litterally anywhere where an individual might have touched a string.
That's what wrappers are for.
Subroutines !
I bet Andy’s real name is Robert “Bobby” Tables
XKCD #327
I love little Bobby tables!
Actually in XKCD 342 it says that Bobby was not much for computers unlike his mother and sister
"I'm overly simplifying this"
> Bonds text
Tom, tom, please.
“And then, just to be lovely, a heart.”
Love how the original tweet has a Fluttershy profile picture
Iggy Tubmen ?
+Iggy Tubmen Hey look, a tweet by a brony. Let's ignore what the tweet says and hate on something that ISN'T EVEN RELEVANT!
+BigGamer2525 You should go back to school.
SquidPlays no ur a back to school night
BigGamer2525 Your grammar is atrocious. What are you, 9?
1:40 The Dangerous thing, the really dangerous thing is that he’s filming with blinds behind him which makes everything Moiré-aey
"worrying, isn't it?" Tom said with a smile...
Just to be clear: the solution to preventing XSS is not to sanitize input and remove something that looks like an html tag. The solution is to correctly encode text before you spit it out into an HTML document.
As of March 2021, the original tweet is still up!
Wait, I just realized that the tweet got sent at 5pm (UK) but you still managed to upload that video on that day.
Big cheers Tom!
Suspicious isn't it ? In "real time" !
$('.xss').for(int i = 0; i < script.size(); i++){alert("How to make someone read nonsense code.");}END IF
Can you actually increment and decrement with js?
of course you can. thats one of the most basic instructions
How do you think cookie clicker works? That thing is pure js
Commentator Instead of increment you could just say X=X+1.
END IF
I learned some HTML, CSS, and JavaScript. And now I learned what $ means. Thank you.
Its from jQuery...
Hey, this is actually very clever way to spread the word. Making an XSS script as a test if it actually works, and it then turns into a self retweeting tweet. Fits nicely into the limited space and lets the users know about it and they don't even need to spread it further, the script does that for them automatically. Nice.
I like the guy who tweeted this, he was like, ha! Bug! Time to screw with people while also helping the community!
Chaotic Good.
looks like when I have to take my programming class for college I'll be coming back to you for anything
wait till Tom hears about the root user without a password in MACOS High sierra
Or the fact that there's an exploit in Windows 10 to create a user with admin privileges through the recovery boot command line (X:).
@@ryannorthup3148 well that would have been nice to know regaining access of my computer
@@ryannorthup3148 and on Linux you can add init=/bin/sh to your boot options.
Needless to say, if you have physical access to a computer you can do a lot more than people would assume.
@@ryannorthup3148 Again? Like c'mon windows, it has been already in 7
alert('Yeah, I know it wont work');
Here's why: special characters (like < which are needed for tags) are replaced by entities. They render the same as '
I find a smiley!
;
You’re way better at cop,wining code than my actual computer science teacher. If you made a Java programming tutorial I would be doing way better in this class.
Well, it came back again across the internet in 2021, Tom way ahead of the game again
Normies : Self-Retweeting Tweet
CS Students : Recursive Tweet
I love how the person who made this is a brony
I already knew about JQuery and HTML and CSS, etc. but that little bit of code and your explanation helped me learn SO much JQuery
2:19 This is where someone starts to sweat...
2:23 Twitter is hiring new people
does anyone *know* how to change the _font_ on a -CZcams- -Google+- apparently CZcams again comment?
Yup
DaveyGames Then *_how?_*
Rechamber That's not the _font_, just the *style*
*I am bold*
NOT REALLY, SORRY.
I have taken many courses about bug Bounty, but this guy is the only one who explained it crystal clear 🔥❤️
Great video Tom! Quick to put out and quality content, as usual. But wouldn't they have to actively remove it for that filter to drop off? Was it a spelling error or did someone do it on purpose? Hrm...
Was not expecting to find you here! Computer science ftw :D
Generally, the most likely cause of XSS in professional websites is someone adding an output without first filtering it. So, if someone creates a new kind of output, like when they implement a new way of adding emojis for example, and they forget to add the encoding command, it will create a vulnerability. This doesn't mean the filter was turned off manually, but it was simply forgotten when adding a new feature.
joeytje50 ah, true. You'd think that a filter like that is in the in the base-tweet, and not on smaller parts that make out the tweet. I mean a simple htmlentities() could have prevented this from happening as a whole.
Fennoman yeah it could have, but it only takes _one_ mistake to be completely vulnurable to XSS. If someone forgets that once, they're vulnurable.
And I don't know what their internal structure is, so I can't say how they could have prevented it. Simply removing any < and > wouldn't work though, because then you'd also filter out all the tags required for the emojis.
joeytje50 You could make an exception.
You should do a follow-up on what the author could have done if he was more malicious. Perhaps he could have redirected people to another page on Twitter with more malicious tweets. The initial tweet would just retweet and redirect, then subsequent tweets would do things like follow/unfollow people, steal cookies, collect account information, include other scripts, maybe even mine bitcoin or send a bunch of requests to a specific server (DDoS).
Andy even recommended this video to someone who wanted an explanation. Does not seem malicious at all. He brought attention to the error.
Tom Scott hasn't aged a day in 6 years
Correction: how the self-reXing X worked: Cross-Site Scripting (XSS) and X
Love Tom's channel, but there is nothing duller than programming.
The fix is literally replace "
That is some impressive code golf '); DROP TABLES CZcams;--
this is a good reminder. it isnt like when building a site completely from the beginning that there's some kind of preinstalled filter you have to turn off to make the xss possible but you have to check any user input and html-escape it yourself, something that can quickly be forgotten when doing MANY other security things, like storing passwords safely and so on.
I think you could have gone into more detail about *why* this is so important. Your viewers may just shrug off a self-retweeting treat as something kind of benign, and it is. But the tweet could have done so much more, like stealing login sessions of the user. This reason this is a big deal is because it exposes an XSS vulnerability, not that someone's tweet can retweet
does anyone actually communicate with twitter? or do they just all talk at the same time and hope everyone else is listening?
That's how i use CZcams
this is as emotional as i have ever seen this guy get. it's a topic dear to his heart
Oh, hey look. Its Fluttershy!
But seriously: That is something that should not have happened.
Thats one basic thing the QA should have checked: HTML-Injections (It can be pretty harmless but would have been enough to see this error.)
Many Frameworks that are used now a days even do that for you. They just don't let this happen.
But still it happens now and then that someone finds an error in a well know and well used software, where other Software-Devs just ask 'How could have this happened?'
I watch your videos because they make me feel smart.
3:17 sippin on orphan tears
*im gay*
_me too_
thats not how it works
the html tags wouldnt appear if it worked
silly goose
He did that on purpose, so people try to put in the
*i'm not*
*_-bold italic strikethrough-_*
More HTML:
is a paragraph
is a break between paragraphs
serves as italics
serves as bold
Makes you type in the title font of your page
is a divider inside text
I could go on and on, but I won't.
both , , and are newlines
This is what I call self-promoting a tweet.
@Tom Scott: i just found this video even though i subscribed years ago. anyway: the twitter account still exists and his tweet as well, its pinned actually.
Honestly, I learned more about code in this video than most tutorials on here
Nice profile pic there, Andy! Lmao
_test_
I've no idea how you did that, but you appear to have successfully got tags into a CZcams comment. If you can do that consistently, with more than just the tags, then report it to CZcams's security team quick. If you're the first (and you don't abuse it or cause damage), there will be a significant bug bounty coming your way.
+Tom Scott I didn't _actually_ write in italics by using test, but by using _ test _ without the spaces, the same way you'd write *test* with * test * or -test- with - test -, so there's no reason to worry.
By the way, I just discovered your channel, and I love your videos. You can explain things in a very understandable and witty way, keep up the great work!
+Tom Scott youtube looks for action characters and formats text appropriately _as_ *you* -can- _see_ *here*
+Max Mouse (Mmouse) _wow_
+Tom Scott you can do *this* in youtube by putting the word in asterisks(these things ->*)
i love how the person who actually did that was a brony
the weebs and mlp fans always thr smort
How about furries
@@DMack6464 also yes
I wish I knew how to switch my handwriting to that font.
Tom Scott had just forgot about acustics, i mean this should never happen, this is video basics 101 and yet here we are
Thanks. I'm an idiot, so it's nice to be walked through the process of how it all went down.
Is it weird that I smelled the sharpie he was writing with and I thought he was using a pen? I did not have any open sharpie near me either.
Wait
Tom writes H like a backwards N
my response is your username
@@felix56p OOOOOOOHHHHHHHH
So, what exactly did this do? Did the people who posted it flood their profile with hearts and cause the servers to crash or something?
Luckily, one person can only retweet once per tweet. Everyone had only one retweeded heart on their profile, but it spread like virus: if you visited with Tweet Deck either the original profile OR other profile that already retweeted, you would retweet as well.
?? You mean , Tom! Deprecation yo.
And !
NaiveAmoeba WORKS TOO YA KNOWWW!!!!!!
David Yue You do know what I mean by deprecation, yeah? As in, works, but it won't forever; they will deprecate it. has been highly recommended for use for *years* because "bold" is a stylistic attribute whilst "strong" is a functional one, hence the separation of layout and style.
Tim Stahel Browsers still show tags as being bold, but not necessarily forever. The idea is that you can override it, and make something that's "strong" by making it bigger, or a different colour, or anything. It isn't tied in with a specific visual type. It also means that it's more descriptive of its function rather than style. For example, what does "bold text" mean to a blind person? Nothing. What does "strong" or "emphasised" language mean? Exactly what it says on the tin. That's the idea, and although it's mostly about terminology, it's the early stages of separating lots of stuff out so that it has the same meaning for all devices, people, etc and is more future-proof!
Nothing like adding unnecessary bytes!
That's why in all my web projects (consisting mainly of simple cms and highscore system for few freeware games) I've filtered it out server-side (there's that htmlspecialchars php function - basically it replaces quotes and angle brackets with their &something; equivalents, also prevents SQLi as a bonus, very useful) just to be sure.