The vulnerability was noticed when the compromised accounts started RETWEETING a tweet with a ?
TweetDeck is not supposed to display this as an image.
Because its simple Text, which should be escapted to ♥.
But in my Tweet I used the Unicode-character of the heart as a reference for my followers.
this whole things looked like this:there were 2 hearts.
So I used a strong-HTML-tag to verify this (Thats that famous I wounder if this works-Tweet).
It worked.So I wrote a little Script which displays a Popup and then blocks it self.
Ob das wohl funktioniert: Test ?
No web developer should ever make this possible.
TweetDeck did.I didnt know that there is such a big problem.
So I experimented with this in a public environment, there was no reason not to do so.
Their next Tweet was saying that there is a security-issue and the users should access again.
kindly bounce of TweetDeck and log back in to fully apply the fix.
Well update when services are back up.
Sorry for any inconvenience.
source: www.techworm.net