How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter

  • Published on: 11 June 2014
  • - - It should never have happened. Defending against cross-site scripting (XSS) attacks is Web Security 101. And yet, today, there was a self-retweeting tweet that hit a heck of a lot of people - anyone using Tweetdeck, Twitter's "professional" client. How did it work? Time to break down the code. (Remember the old Myspace worms? They worked the same way.)

  • Runtime : 6:17
  • tomscott tom scott Hypertext Transfer Protocol (Internet Protocol) Cross-site Scripting (Ranked Item) Twitter (Website) xss worms Hack


  • Sergiusz Olszewski
    Sergiusz Olszewski   1 days ago

    Your blinds worked perfectly as optical illusion. Now everything is wavey ~~~~

  • ᅚ
      5 days ago

    those people are the reason why i cant change the color of an iframe

  • Sacrificial Pig
    Sacrificial Pig   5 days ago

    <script class="xss">$('.xss').parents().eq(1).find('a').eq(0).click()> </script> ❤

  • lk77
    lk77   5 days ago

    and then the script tag will append another script tag in the body^^

  • Dominik Römer
    Dominik Römer   1 weeks ago

    ->doesn't sanitize user input->something bad happens->surprised magic cat face

  • skuby1t
    skuby1t   1 weeks ago

    <b> did it work <b/>

  • Joshua Thompson
    Joshua Thompson   1 weeks ago

    @derGeruhn is still on Twitter, still rockin a Fluttershy profile pic

  • Shay Delaney
    Shay Delaney   2 weeks ago

    Anyone experiencing a weird effect during this video that makes everything look wavey

  • team doodz
    team doodz   2 weeks ago

    "You can use <i> for italics"That didn't age well...

  • signvelvety
    signvelvety   4 weeks ago


  • Leo
    Leo   1 months ago

    <b> oh look it works

  • Noob Gaming
    Noob Gaming   1 months ago

    Just shill shits happens we are human Im sure you have done some basics mistakes and will in the future

  • Galaxy Animal
    Galaxy Animal   1 months ago

    Another thing: always sanitize server-side. Client-side code can be tampered with. You can get away with not sanitizing if you only send the users' input back to them and never use any "interpret this as code"[eg. exec()] commands, of if the application is 100% client-side.

  • Levi Willrich
    Levi Willrich   1 months ago

    Cue all the people trying to <b>reak the YouTube comments

  • KineticManiac
    KineticManiac   1 months ago

    I've died a bit inside when you said "computers count from zero". There are quite a bit of programming languages that use 1-indexing, you know? 0-indexing is common, but it isn't the standard. :/

  • Peter D Morrison
    Peter D Morrison   1 months ago

    Yₒᵤ cₐₙ dₒ fₐᵣ ₘₒᵣₑ ᵢₙₜₑᵣₑₛₜᵢₙg ₜₕᵢₙgₛ ₜₕₐₙ bₒₗd ₐₙd ₛₜᵣᵢₖₑₜₕᵣₒᵤgₕ...˙˙˙uʍop ǝpısdn llɐ ʇı uɹnʇ uǝʌǝ puɐ

    DANNYonPC   2 months ago

    Interesting, Account is never banned and the tweet is still up :p

  • N3bloons
    N3bloons   2 months ago

    <b> HELLO <b>I don't get why it doesn't work for you guys

  • D.J. W
    D.J. W   2 months ago

    Twitah have joist had a seylf reetweeeeeeting tweet!!!!

  • Angel Carvajal
    Angel Carvajal   2 months ago

    <img class="mi-comentario" src onerror="(function() {document.querySelector('.mi-comentario').parentElement.parentElement.parentElement.querySelector('').onclick();})();" />

  • Chris Hayes
    Chris Hayes   2 months ago

    What I find so hilarious about this they could've done anything. This gave the initial tweeter the power to log into any Twitter account using Tweetdeck in the world, send every twitter user to a website for ad-revenue, show an ad, do literally anything. No, they made it retweet itself because it would be funny.

  • tatey12
    tatey12   2 months ago

    "<b>super amrio poop </b>"