14 DAY TRIAL // It appears that yesterday’s ruckus with TweetDeck was caused by a 19-year-old Austrian teenager that found that typing “&hearts” creates a heart symbol in HTML.
Named Florian, the teen discovered that this created a door in TweetDeck that allowed injection of commands via a tweet. "It wasn't a hack. It was some sort of accident," he told CNN via Twitter.
Florian then tinkered for a while by adding a heart to every message causing a pop-up window in his TweetDeck and then tweeted that he discovered a vulnerability in the Twitter client.
Despite his attempts to let Twitter know about the vulnerability in due time, members of the hacker community noticed the flaw and started to exploit it.
We reported about a message from the handle @derGeruhn having been retweeted more than 35,000 times; that was yesterday. Today, the retweet count of the message containing a piece of code is over 80,000.
Twitter managed to fix the XSS vulnerability quite fast. The initial message posted on the TweetDeck channel let users know that the issue had been fixed and that they needed to log out and then back in.
However, a second message came after 28 minutes and informed that TweetDeck services had been taken offline for security investigations. A third message announced a fix for the problem and the restoration of the service.