An Austrian Teen Discovered The Vulnerability That Set Off TweetDeck's Outage
TweetDeck was down for about an hour Wednesday while the company was fixing a vulnerability allowing cross site scripting attacks (XSS) that caused a tweet with some code and a little heart in it to be retweeted over and over.
The script in the tweet was being rendered as code in users' browsers. Attackers could execute code (like making an account automatically retweet) on anyone's computer just by tweeting it out.
TweetDeck fixed the vulnerability, which may have first been discovered by an Austrian teen. The Verge reports that at 8:05 this morning, the Twitter account @FiroXL, which belongs to a 19-year-old named Florian, tweeted a Javascript tag along with a heart symbol and a German phrase that means something along the lines of "I wonder if this will work":
He basically discovered that if he included the heart in his tweet, TweetDeck would execute Javascript or HTML from plaintext (that's why all the spammy tweets you saw in your timeline had hearts at the end of them). As soon as he discovered the vulnerability, he tweeted "Discovered vulnerability in TweetDeck."
From there, other Twitter users started using the technique. TweetDeck shut down its service while it made the security fixes necessary to fix the bug.