Last night, I was searching for an old email when I spotted this funny header:
Somebody had a sense of humour, inserting a XSS joke in email headers.
I thought it was funny, so I posted about it to Twitter:
Few minutes later, I saw Robin Jackson reply with this:
That can’t be real. No Twitter client would execute Javascript just because a Tweet would contain a “script” tag.
To prove it’s real, Robin posted a screenshot.
The client he was using was Tweetdeck for Chrome. Time to inform the developers. And of course, they are on Twitter as well.
Randy Janinda from Twitter’s security team responded within minutes:
And just two hours later I got the confirmation from Tom Woolway of the Twitter development team that the fix is out:
Signing off,
Mikko
Leave a reply
