The TweetDeck Worm: How it Worked

TweetDeck is a very popular Twitter application (with 23% market share as of June 2009). The application was acquired by Twitter on May 25, 2011.

On Wednesday, the user @derGeruhn, exploited a stored XSS (cross-site scripting) vulnerability in the TweetDeck application and created a worm that affected 82,138 Twitter users and forced them to retweet a particular message.

Here is the original tweet message:

Let’s see how it worked:


<script class=”xss”>

The tweet starts by opening an inline script tag. The script tag is identified with the class xss so it can be referenced later. This is the xss vulnerability that was exploited by @derGeruhn, a secure web application should not permit an attacker to insert script tags.



  • $ – this is the jQuery library, TweetDeck is using jQuery so the attacker can use it as well.
  • $(‘.xss’) – this part tells jQuery to select the HTML tag that has the class xss. Remember that the script tag injected by the attacker had the xss class? The script tag is basically selecting itself.
  • $(‘.xss’).parents().eq(1) – next, it selects the second parent of the tag. parents() will return the set of parents of the script tag and eq(1) means to select the element at index 1 within the matched set. This means that it will select the tweet container.
  • $(‘.xss’).parents().eq(1).find(‘a’).eq(1).click(); from this container, it now searches all a tags (all links) from this container and it selects again the second one. Why? Because the second link from the container is the retweet link – it then clicks this link.retweet-tweetdeck-worm



However this is not enough, clicking on the retweet link does not automatically retweet the link, it just shows a confirmation popup message. This part of the code selects the retweet button and clicks on it for confirmation. The tweet was retweeted at this point without any user intervention. All the followers will now see this message and possibly automatically, retweet it (if they are using TweetDeck). This is how the worm is spreading.


alert(‘XSS in Tweetdeck’)

The last part of the code is just for creating a popup/alert message to warn users there is an XSS vulnerability in TweetDeck.

It’s interesting that the tweet is exactly 140 characters (the maximum size of a tweet message). The exploit is 139 characters and the last character is an Emoji (Red heart suit). It seems that the vulnerability was caused by the code responsible with parsing Emoji images.

Share this post

Leave a Reply

Your email address will not be published.