How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter

Loading...
  • Published on: 11 June 2014
  • http://tomscott.com - http://twitter.com/tomscott - It should never have happened. Defending against cross-site scripting (XSS) attacks is Web Security 101. And yet, today, there was a self-retweeting tweet that hit a heck of a lot of people - anyone using Tweetdeck, Twitter's "professional" client. How did it work? Time to break down the code. (Remember the old Myspace worms? They worked the same way.)

    THE SELF-RETWEETING TWEET: https://twitter.com/derGeruhn/status/476764918763749376
  • Runtime : 6:17
  • tomscott tom scott Hypertext Transfer Protocol (Internet Protocol) Cross-site Scripting (Ranked Item) Twitter (Website) xss worms Hack

COMMENTS: 40

  • Cum
    Cum   18 hours ago

    BEAN

  • Level M
    Level M   1 days ago

    Oh my God I love his accent

  • TLF
    TLF   5 days ago

    You know that if the user icon is a pony, you already lost.

  • Xestee
    Xestee   5 days ago

    "find the parents" ...I've been trying

  • seafoamSpirit
    seafoamSpirit   6 days ago

    I feel like this was probably done to point out the glaring flaw, since it's ultimately victimless but will definitely get attention. Either way, interesting to learn!

  • TheCharmingNavigator

    I don't understand but somehow still enjoyed the video.You're a wizard Tommy

  • unguidedone
    unguidedone   6 days ago

    i dont use twitter nor do i see a need for it

  • Some Dude
    Some Dude   1 weeks ago

    Honestly, I learned more about code in this video than most tutorials on here

  • Milo RBLX
    Milo RBLX   1 weeks ago

    <script> i like kids </script>

  • Starkey
    Starkey   1 weeks ago

    [b] bold with what tom said [b/]bold with asterisk

  • Patrick Robertshaw
    Patrick Robertshaw   1 weeks ago

    I think you could have gone into more detail about why this is so important. Your viewers may just shrug off a self-retweeting treat as something kind of benign, and it is. But the tweet could have done so much more, like stealing login sessions of the user. This reason this is a big deal is because it exposes an XSS vulnerability, not that someone's tweet can retweet

  • Phlegethon
    Phlegethon   1 weeks ago

    How the hell do these people know so much random stuff

  • puking emoji
    puking emoji   1 weeks ago

    One time I commented on YouTube and it become script. I don't know how

  • SanicStudios
    SanicStudios   2 weeks ago

    “Im oversimplifying here”“never ever EVER”“Well done (insert name here)”

  • Rei
    Rei   2 weeks ago

    do you mean The Future

  • Rei
    Rei   2 weeks ago

    also can someone please upload videos made from old cameras :(

  • Rei
    Rei   2 weeks ago

    IS THE CODE PACKET LOSS

  • Rei
    Rei   2 weeks ago

    I tried to reply but then met the word ironically. But it was BISMUTH AND SOME STUPID APP AND EBAY