News

Teen Tried to Send Heart Emoticon, Broke Tweetdeck

by L. Turner

An Austrian teenager testing out sending a heart emoticon broke Twitter app Tweetdeck on Wednesday when he accidentally exposed a vulnerability allowing mischief-makers to hack into other Tweetdeck users' desktops and send messages. Most of the messages were harmless — you know, adult things like the word "penis" sent repeatedly and "LOL I SHOULD RULE THE WORLD" — but the vulnerability the kid, named Florian, exposed prompted Twitter to shut down the application and fix the issue until more serious harm could be done.

Twitter should usually mess up the code used to generate a heart emoticon, but Florian, who goes by @Firoxl on the site, figured out how to send a Tweet using Tweetdeck that bypassed the site's usual protections. The Verge reports that this was previously a known vulnerability, but it looks like Florian had no idea about that or exactly what havoc he'd wreak once he sent his Tweet on Wednesday morning.

Tweetdeck, once a popular third-party application for using Twitter and now owned by the social networking site itself, allows users to use the site in a way that's more efficient for high-powered users. You can load multiple accounts onto the app, track specific hashtags, and generally do a lot more than just look at your livestream and notifications. So it was a big deal when the app crashed on Wednesday.

Here's the innocuous, loving Tweet that started it all:

But the heart is full of code, and it's that code that made it possible for other people to pick up the vulnerability and use what's called cross-site scripting to get into others' accounts. Florian told The Verge he didn't mean for anything bad to happen.

This was an accident. I didn't want to make this public. I didn't want to do anything bad.

¯\_(ツ)_/¯.

Photo: Tweetdeck.