How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter 

Awesome

What a flex

why shouldn't it be

If it is removed, the market will crash.... OooOoooOoooOoo... But I think some bigger sandboxes have been created now, hasn't it ? We can relax.

He outlived Twitter

It did not happen in this case it seems, but even when it is non-malicious sometimes they still try to punish you.

the problem is, someone experienced who sees this might do a haarmful tweet just like this, before twitter shuts the feature down. I'd still do it for the fun of it though

@@JulzDrogenstube Right, but that's exactly why this tweet needed to be made. If Andy never made the tweet and twitter didn't know about it, then someone could've done something malicious. Security through obscurity does not work

@@JesusMowsMaLawn A call/email/message to twitter support could have been made. That way the cybersecurity team could have fixed it privately. Publicly exploiting the bug could have attracted people with malintent.

​@@58book Nine times out of ten they just ignore your message. With this tweet, they were forced to fix it immediately, hopefully before anything malicious could be done Obviously I'm not going to say if it was objectively right or wrong, because I'm not the judge of that, but I personally feel that this was justified

They made the tweet as a warning to the Devs, and didn't want to do anything malicious

Anything as long as it fit into 140 characters

@@__8120 linking an external script wouldn't have that constraint, could've written a novel.

That’s being a responsible programmer. An experienced coder has the power to potentially cause a LOT of damage, but it’s the ability to decide whether or not to do the right thing with said knowledge which is important. They did the (almost) right thing and disclosed the bug in a mostly non-destructive way. It’s the whole “just because you can doesn’t mean you should” argument. TL;DR - Not all programmers are dicks who want to break everything!

@@__8120 No you can just do

Tom thinks we're dumb. (and he's correct)

*_-why-_*

"So today we're talking about the physics of a swing set and *im simplifying massively here* ..."

Nah it’s definitely “AND it works!”

ON MERCH

how so?

@@thaichicken0210 Tweetdeck did sanitize user input except for a bug with emoji that broke the sanitation. Without the emoji the XSS didn't work.

@@thaichicken0210 from the author: "The ❤ was one of the UTF8 characters that got an visual upgrade that day. Before the update it would've displayed in the same font & color as the rest of the tweet. With the released update it was turned into an inline image. To display that HTML code was allowed within a tweet"

I was just out grabbing some beer for 13 years ago. Relax, kid. Jesus.

That's.. Deep

Rumors say he's still looking to this day.

Oof

Uuf

***** Rather this than something that shows a fake login form or secretly mines your data

didn't the guy get like 5 years in prison or something like that for this?

since the account has still been tweeting since (and the tweet itself wasn't even so much as removed) i doubt it.

white hat+illegal stuff = grey hat good intention then he is a nice guy :)

@92Dups would YOU want someone rummaging around with your websites code with no idea on there intent?

Jacob JP nevernevernevernevernevernevernever

Never

substitute*

"cool"

I got those before. One was a jeopardy champion.

Ik u didn't ask but I'm taking gcse computer science and the fact that I understood this comment makes me really happy, thanks

@@chy4e431 That's called sanitazation.

@@chy4e431 sanitizing user input means replecing special characters with escape sequences, such as '

Mrs. Roberts would be proud.

did you just call pikachu a magic cat?

It's kinda sad he didn't make it retweet something offensive about a politician.

All modern politicians are offensive enough on their own, there's no more that it could have done.

Just follow a politician on Twitter if you feel like reading some obnoxious tweets. There are some really stupid people out there.

I know him, he's a nice guy and very friendly :)

@MikatGaming yes, if the website or app is not properly protected from it. That script would most likely be longer than the maximum allowed characters though.

He could've just linked to an external script

sundhaug92 *cough*(and the fact he could have just sent a request for a longer script)*cough*

Mckenna Cisler Very true, I'm actually just impressed he managed to do that

*what*

I don't believe his intentions were malicious I believe he was just pointing out an error in a way someone who isn't being paid to do so should.

Hey, what is that flag in your profile picture?

@@oscarpetersson5324 Anarcho-Texas.

@@109Rage oh, thanks

Under anarchism you'd be dying of typhoid under a rock.

@@PwnZombie under capitalism, you instead >checks notes< die of starvation before having to worry about typhoid.

Ok?

@@emilianozamora399 Watch LPL and you'll understand.

fellow LPL watcher here

I think i just had a stroke while trying to read that.

Or you could not because its a felony to even attempt it

TIMΞ СнΛИGΣ which law exactly? Because there are very few things that are illegal to even attempt that aren’t just a separate crime.

@@wolbobus2130 Lmao, I was starting to get angry at myself for not understanding

oof where

i know this comment is dead, but link in description to self-retweeting tweet

Hi

a flutter- what?

@@zyugyzarc the yellow pegasus pictured is named Fluttershy. Also, the tweet is still up four years later.

Tfw you forget the video revolves around someone forgetting that 101.

It should nevah evah evah evah evah evah evah evah evah happen

-test-

*what do you mean by that?*

I mean, making everything bold is harmless.

2022: It Got Worse!

@@antfarmer2227 now: it got *even* worse

@@silasunger 🤣😂

@@toludaree I see you folks are staying warm watching the dumpster fire too... 😂

@@southernflatland how much worse can it get? we'll find out :p

he was also.a brony :)

SomeEnglishGames Shows us #NotAllBronies are horrible people, doesn't it?

Nikolas Powell Yup

That's what we call chaotic neutral

suspicous of him

**Hello**

please do that

Well someone did make a RU-vid video that knows it’s own url

@@inactive6200 thats very easy though..multiple people have done it years ago and it's not an exploit

I hate your pfp

Master I hate u

The explanation of XSS should be credited to the person who wrote the tweet. That was their purpose.

You should check out some of his Computerphile videos, like timezones, internationalis(z)ation, and electronic voting. Those are the rants of the century.

I’ve read him that angry, certainly. Really shouldn’t have sent him that email.

To those wondering whether I’m joking, I’m not. I REALLY should not have sent him that email

@@extrahourinthepit ???????????

Google Cendrum Yep, the email was of bad character

Why do I use marvelous (not marvellous) but also cancelled (not canceled) ?

It's also jQuery, and it sucks :D (I'm kidding, it has its uses, but I like to avoid it)

With plane JS, the code wouldn't run on twitter xD

A simple spelly,yet quite unbreakable.

Despite several attempts,methods,techniques & even the people pretending to be hackers I've encountered,i was finally refereed to this hacker on Instagram who finally gave me all i wanted from my partners mobile phone.If you are in the same shoe as me,i'm referring you to his Instagram page for help[@elitecoding007]..

yep never ever ever ever ever EVER turned off

beauty

There are two versions of jQuery - the current version, and vulnerable versions. And the current version is also vulnerable - we'll find out how in, say, two weeks.

With all ES6 and ES7 additions, there is currently no reason to use JQuery at all. Except if someone actually enjoys its counterproductive syntax that violates all OO-languages (which JS actually is) principles.

@@Asdayasman plus there's jquery-latest which hasn't been up-to-date in years, because people were abusing it.

@@TheLukasz032 While I agree that JQuery should be discarded from maintained projects and never included into new projects, I disagree with your implication that "OO" means "better".

❤️

🖕

Spectrum 🖕

❤️

astro -test-

@maskyschannel dang, i know, because its totally false. modern js parsers are better than that, with all the exploits fixed

not anything else, bc javascript is a limited language

Despite several attempts,methods,techniques & even the people pretending to be hackers I've encountered,i was finally refereed to this hacker on Instagram who finally gave me all i wanted from my partners mobile phone.If you are in the same shoe as me,i'm referring you to his Instagram page for help[@elitecoding007].

@@danlarkman2450 referees? Shoes? My word association algorithm thinks you're looking for soccer cleats. Is this correct? Oh, no, you don't wear shoes, because you're a bot

4:49

Tom Scott stand cry

Emoji support was added to Tweetdeck only two days ago, which they managed to screw up by not processing them safely. Without the heart emoji stuck on after the closing script tag, the tweet would have been sanitised and all would have been well.

*6

@@Salzui it was 5 for them, 6 for us

I love little Bobby tables!

Actually in XKCD 342 it says that Bobby was not much for computers unlike his mother and sister

That's what wrappers are for.

Subroutines !

*test* _test_ -test- it worked, thanks! :D

Jan Dusek Np ;) *Np ;)* _Np ;)_ -NP ;)-

-test-

AirCommando12 *test*

-test-

Yes.

It's a shame that you can only tweet 140 characters otherwise he could have done a lot more!

***** The thing is, you can do a lot more: you only need about twenty characters to embed an external script file hosted elsewhere. That file can be as long as you like, as long as the hosting's up to it...

They could have had it retweet an advert and wrote @justinbieber @ pewdiepie

Though, most browsers have something called the same-origin policy, which will automatically block any attempts to load an external javascript file from a different domain than the page you're on. Typically the best you'll get out of an XSS attack these days is unfiltered input from a form, or from the URL string (a "reflected" vulnerability), or if you're lucky, you'll find a situation like the one in the video where you save your malicious code on the server, and it's loaded up even on simple pages, and neither when you save it, nor when you load it does it filter out risky characters (a "persistent" vulnerability)

GETTING BACK TOGETHER -Paintspot Infez Wasabi! Like if you agree Reply if you've heard of me

Fo eva? For eva eva?

Here's why: special characters (like < which are needed for tags) are replaced by entities. They render the same as '

I find a smiley! ;

Can you actually increment and decrement with js?

of course you can. thats one of the most basic instructions

How do you think cookie clicker works? That thing is pure js

Commentator Instead of increment you could just say X=X+1.

END IF

Or the fact that there's an exploit in Windows 10 to create a user with admin privileges through the recovery boot command line (X:).

@@ryannorthup3148 well that would have been nice to know regaining access of my computer

@@ryannorthup3148 and on Linux you can add init=/bin/sh to your boot options. Needless to say, if you have physical access to a computer you can do a lot more than people would assume.

@@ryannorthup3148 Again? Like c'mon windows, it has been already in 7

Welcome to the team

Hahaha, same here. I had watched this video before but didn't understand it much. Now that I have learned HTML, JS and much more, I can understand it all.

Chaotic Good.

Suspicious isn't it ? In "real time" !

Iggy Tubmen ?

+Iggy Tubmen Hey look, a tweet by a brony. Let's ignore what the tweet says and hate on something that ISN'T EVEN RELEVANT!

+BigGamer2525 You should go back to school.

SquidPlays no ur a back to school night

BigGamer2525 Your grammar is atrocious. What are you, 9?

Its from jQuery...

Was not expecting to find you here! Computer science ftw :D

Generally, the most likely cause of XSS in professional websites is someone adding an output without first filtering it. So, if someone creates a new kind of output, like when they implement a new way of adding emojis for example, and they forget to add the encoding command, it will create a vulnerability. This doesn't mean the filter was turned off manually, but it was simply forgotten when adding a new feature.

joeytje50 ah, true. You'd think that a filter like that is in the in the base-tweet, and not on smaller parts that make out the tweet. I mean a simple htmlentities() could have prevented this from happening as a whole.

Fennoman yeah it could have, but it only takes _one_ mistake to be completely vulnurable to XSS. If someone forgets that once, they're vulnurable. And I don't know what their internal structure is, so I can't say how they could have prevented it. Simply removing any < and > wouldn't work though, because then you'd also filter out all the tags required for the emojis.

joeytje50 You could make an exception.

Yup

DaveyGames Then *_how?_*

Rechamber That's not the _font_, just the *style*

*I am bold*

ＮＯＴ ＲＥＡＬＬＹ, ＳＯＲＲＹ.

both , , and are newlines

That's how i use RU-vid

That is not a proper script, and I'm fairly sure the command to delete anything would not be named delete for this very reason.

+D Wells Look in the sky! It's a bird! It's a plane! It's the joke flying over your head!

+MyNameIsNidos that was a joke? your standards of humor are lower than I knew possible

+KingHalbatorix a few people here disagree with you

come on guys it's a joke. No need to get so serious about it. just laugh and move on.

_me too_

thats not how it works the html tags wouldnt appear if it worked silly goose

He did that on purpose, so people try to put in the

*i'm not*

*_-bold italic strikethrough-_*

the weebs and mlp fans always thr smort

How about furries

@@DMack6464 also yes

And !

NaiveAmoeba WORKS TOO YA KNOWWW!!!!!!

David Yue You do know what I mean by deprecation, yeah? As in, works, but it won't forever; they will deprecate it. has been highly recommended for use for *years* because "bold" is a stylistic attribute whilst "strong" is a functional one, hence the separation of layout and style.

Tim Stahel Browsers still show tags as being bold, but not necessarily forever. The idea is that you can override it, and make something that's "strong" by making it bigger, or a different colour, or anything. It isn't tied in with a specific visual type. It also means that it's more descriptive of its function rather than style. For example, what does "bold text" mean to a blind person? Nothing. What does "strong" or "emphasised" language mean? Exactly what it says on the tin. That's the idea, and although it's mostly about terminology, it's the early stages of separating lots of stuff out so that it has the same meaning for all devices, people, etc and is more future-proof!

Nothing like adding unnecessary bytes!

Luckily, one person can only retweet once per tweet. Everyone had only one retweeded heart on their profile, but it spread like virus: if you visited with Tweet Deck either the original profile OR other profile that already retweeted, you would retweet as well.