How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter - tomscott - It should never have happened. Defending against cross-site scripting (XSS) attacks is Web Security 101. And yet, today, there was a self-retweeting tweet that hit a heck of a lot of people - anyone using Tweetdeck, Twitter's "professional" client. How did it work? Time to break down the code. (Remember the old Myspace worms? They worked the same way.)
THE SELF-RETWEETING TWEET: derGeruhn/status/476764918763749376




  • *what about this*

    Russell BakerRussell Baker3 klukkustundum síðan
  • does this look bold?

    Russell BakerRussell Baker3 klukkustundum síðan
  • Fluttershy's got an apple hat.

    long manlong man19 klukkustundum síðan
  • Yes, a simple, but effective "virus".

    Gilbert TheRegularGilbert TheRegular2 dögum síðan
  • Andy's account still exists somehow in 2020, it's @derGeruhn

    PurringCat248PurringCat2483 dögum síðan
  • *Hello*

    Tapsu10Tapsu103 dögum síðan
  • What if... It just doesnt run scripts in messages?

    Ranibow SprimkleRanibow Sprimkle7 dögum síðan
  • hello

    Malik BuchcicMalik Buchcic9 dögum síðan
  • Hey, this is actually very clever way to spread the word. Making an XSS script as a test if it actually works, and it then turns into a self retweeting tweet. Fits nicely into the limited space and lets the users know about it and they don't even need to spread it further, the script does that for them automatically. Nice.

    Marek PoláčekMarek Poláček10 dögum síðan
  • @echo off?

    a nooby Usera nooby User10 dögum síðan
  • *Bold text is cool* And you know I'm joking because no-one uses

    Erufailon4Erufailon412 dögum síðan
    • It's true wtf is the point

      yaicob.comyaicob.com10 dögum síðan
  • nice vid

    DexDex13 dögum síðan
  • Tom: find parents Bruce:

    syreille salessyreille sales16 dögum síðan
  • Couldn't this have just been fixed by using ".innerText = tweetText" instaed of ".innerHTML = tweetText" ? It would just output the part as text and not execute it, right?

    IshidresIshidres17 dögum síðan
  • How many rt did it get tho

    Elite SasquatchElite Sasquatch20 dögum síðan
  • 󠇠 U+E01E0

    ProgectProgect22 dögum síðan
  • cant wait for the self hearting youtube comment

    timurtimur22 dögum síðan
  • I approve of them being nice and closing the script so it doesn't treat the rest of the page as script.

    Samuel SkalaSamuel Skala24 dögum síðan
  • 🧡

    u ku k25 dögum síðan
  • hello

    PotatoPotato26 dögum síðan
  • Never ever ever .... Never ever ever everrrrrrr 😲😲😲😲 What's going on ??? Chill dude.

    D DD D28 dögum síðan
  • asdasd

    LIAM personLIAM person28 dögum síðan
  • *_I want to see the video... Though your background is very very very very very TRIPPY_*

    AnonymousAnonymous28 dögum síðan
  • I just hate how Twitter has become the source for actual news, where a station will consider someone's Tweet AS NEWS.

    Alarec ScarbrowAlarec Scarbrow29 dögum síðan
  • hello

    Mahir AsefMahir AsefMánuði síðan
  • Hello

    Mahir AsefMahir AsefMánuði síðan
  • Hello

    Mahir AsefMahir AsefMánuði síðan
  • *xd*

    haher huberthaher hubertMánuði síðan
  • yo that works

    haher huberthaher hubertMánuði síðan
  • and all of this from a guy who has a mlp profile pic

    WoofyWoofyMánuði síðan
  • *bruh*

    crasy killscrasy killsMánuði síðan
  • Wait CrossSiteScripting == CSS

    Slovak_CatSlovak_CatMánuði síðan
  • Wait Tom writes H like a backwards N

    Who cares?Who cares?Mánuði síðan
    • @The Penguin Council OOOOOOOHHHHHHHH

      Rakin RahmanRakin Rahman25 dögum síðan
    • my response is your username

      The Penguin CouncilThe Penguin CouncilMánuði síðan
  • just some harmless fun while true do end lets hope youtube knows there stuff or i just crashed you XD

    Cassandra CollinsCassandra CollinsMánuði síðan
    • Keywords The following list shows few of the reserved words in Lua. These reserved words may not be used as constants or variables or any other identifier names. and break "end" else elseif "do" false for function if in local nil not or repeat return then "true" until "while"

      underpickedunderpicked26 dögum síðan
    • by any chances "while true do end" seems like a lua syntax instead of a html syntax.

      underpickedunderpicked26 dögum síðan
    • thats not how scripting works in html

      kpmaxokpmaxoMánuði síðan
    • Cassandra Collins ISproject knows stuff

      Paranormal CucumberParanormal CucumberMánuði síðan
  • And then there’s me, wondering wtf is going on

    Bob The DabberBob The DabberMánuði síðan
  • Warning: this is a test. I want to see what happens if I write down *and then continue speaking until I write * and hopefully the text didn't become bold

    Falqui CaoFalqui CaoMánuði síðan
    • @Kian Moore you ruined the joke

      Falqui CaoFalqui CaoMánuði síðan
    • *it is quite easy to use stars to make something bold, as markdown isn't enabled on ISproject so doesn't work*

      Kian MooreKian MooreMánuði síðan
  • Twitter got outplayed by a brony

    Nerika Cutie 2Nerika Cutie 2Mánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • MenicManMenicManMánuði síðan
  • why wasnt the input filtered on the backend

    Melanitta nigraMelanitta nigraMánuði síðan
  • I'm actually really happy, my html is improving! All I thoroughly know currently is pythin though.

    Wdr PhantomWdr PhantomMánuði síðan
  • I'm surprised the dude's tweet and account is still there.

    Boredfan GerrudeBoredfan GerrudeMánuði síðan
  • hello? I think I learned something new Edit: I didn't

    Michael RosenMichael RosenMánuði síðan
    • This made me laugh harder than it should’ve... “Edit: *I didn’t* 😂

      ArchGirlArchGirlMánuði síðan
  • This is what I call self-promoting a tweet.

    Mini tomateMini tomateMánuði síðan
  • German Tweetdeck users back then: "Ah yes, finally, a way to force Dragon dildos on everyone's screen!" Also, wasn't the vulnerability caused by the heart emoji as it "prevented" masking out the script tag?

    ExxagExxagMánuði síðan
  • heart

    Mark McNuggetMark McNuggetMánuði síðan
  • ❤️

    sava whateversava whateverMánuði síðan
  • HTML is not a language

    Mahdyar SadeghiMahdyar SadeghiMánuði síðan
    • It's a markup language

      Kian MooreKian MooreMánuði síðan
    • it's a programming language

      The Penguin CouncilThe Penguin CouncilMánuði síðan
  • Does somebody really use internet explorer?<a href="#" class="seekto" data-time="60">1:00</a>

    Nestor Alexander Castañeda PadrónNestor Alexander Castañeda PadrónMánuði síðan
  • This vulnerability was introduced when Tweetdeck launched emoji support shortly before. Blast from the past!

    Var GuitarVar GuitarMánuði síðan
  • Bottle of Cillit bangBottle of Cillit bangMánuði síðan
  • The b tag for ISproject is * *It's like this*

    HotDog0275HotDog0275Mánuði síðan
  • Can anyone count how many 'ever' Tom had said in this video?

    Tony KongTony KongMánuði síðan
  • God your a geek

    Dan DixonDan DixonMánuði síðan
    • *you're

      Noodle MooseNoodle MooseMánuði síðan
  • *omg it works*

    xtdycxtfuvxtdycxtfuvMánuði síðan
    • Markdown isn't enabled on Comment Sections, so it doesn't work

      Kian MooreKian MooreMánuði síðan
  • (/b)

    Unflavored BeatsUnflavored BeatsMánuði síðan
  • But what if self deleting tweet.

    KGBKGBMánuði síðan
  • alert('Remember when there was an XSS injection vurnability on Twitch?');

    HexandcubeHexandcubeMánuði síðan
    • you tried

      Lynden BrowneLynden BrowneMánuði síðan
  • " retweeting itself. The End."

    Michael HirschmuglMichael HirschmuglMánuði síðan
  • Never^6

    Epic man 99Epic man 99Mánuði síðan
  • Does this work on ISproject?

    Darren Criss is totally awesomeDarren Criss is totally awesomeMánuði síðan
    • no.

      Ethan SharpEthan SharpMánuði síðan
  • I understand all this as I like coding hobby HTML projects

    TGPO GDTGPO GDMánuði síðan
  • Anybody else feel like an idiot because they’re still confused about what exactly happened and why it was so bad?

    Regan 38Regan 38Mánuði síðan
    • You could write code in the tweet box and the site will run it, which is very insecure.

      Abhishek KaushikAbhishek KaushikMánuði síðan
  • I came back now, 6 years later and now I'm able to analyze all of this by myself. I sure learned lots about HTML, JavaScript etc

    James DanielJames DanielMánuði síðan
    • Welcome to the team

      Seth AdkinsSeth AdkinsMánuði síðan
  • Proof that bronies are a menace to society

    The Melon SlayerThe Melon Slayer2 mánuðum síðan
    • we live in a society.

      Ethan SharpEthan SharpMánuði síðan
  • *oh well..*

    Reşat YıldırımReşat Yıldırım2 mánuðum síðan
  • If it worked on the accounts that retweeted it, then it would've been just Myspace

    WaterBoyz1140WaterBoyz11402 mánuðum síðan
  • the video didn't make it clear, should it be turned off?

    SimonjsSimonjs2 mánuðum síðan
  • 🌚

    puke pukepuke puke2 mánuðum síðan
  • My belief is that if you type "Wichita" into Google's search-blank then what you are doing is telling it to find web-pages containing that text, i.e. containing Notepad characters such that an instruction to begin boldfacing occurs right before the word "Wichita". I reject the assertion that the "" is not part of what is being searched for, but, rather, moves outside the search-blank and thus makes the entire thing an instruction to search for "Wichita", make a page of the hits, and then add "" at the top of the list of hits.

    Topher TheTenthTopher TheTenth2 mánuðum síðan
  • joe mama

    Meat GarfieldMeat Garfield2 mánuðum síðan
    • nah

      Ethan SharpEthan SharpMánuði síðan
  • Triple X S S

    Quest n'AchievementQuest n'Achievement2 mánuðum síðan
  • test

    Poutine Au Syrop d'érablePoutine Au Syrop d'érable2 mánuðum síðan
    • nope

      Ethan SharpEthan SharpMánuði síðan