At 8:05 EDT, the account @FiroXL tweeted a simple test: some javascript tags along with a heart symbol and a German phrase that translates roughly to I wonder if this will work… It worked: the tags did their job and the heart symbol, which Twitter would normally mangle, came through TweetDeck just fine, indicating the service was executing Javascript commands from plaintext. More importantly, as soon as he discovered the vulnerability, he reported it publicly to @TweetDeck, potentially alerting anyone who was monitoring the accounts mentions.
Comments are closed.
