Popular app hacked after teen discovers flaw
NEW YORK (CNNMoney) — TweetDeck, a popular Twitter app for desktops, has been hacked — because a 19-year-old computer geek in Austria wanted to use cute, little hearts.
On Wednesday, something like an Internet worm quickly spread across the Twitter social media network. It came from a tweet of a “♥” symbol that was loaded with a string of code — one that hijacked people’s TweetDeck software.
Like a typical worm, this code told affected TweetDeck accounts to share the message, thus disseminating it everywhere.
An Austrian teenager named Florian (he prefers to go by Firo) says he started it all. Firo, who declined to share his last name, citing privacy concerns, said he figured out Wednesday morning that “&hearts” makes a “♥” symbol in the coding language HTML.
Chatting to CNN on Twitter, said he was just experimenting when he discovered that using a “♥” created an opening in Tweetdeck’s software, allowing for someone to inject computer program commands via a tweet. Without even meaning to, Firo stumbled on a software bug.
“It wasn’t a hack. It was some sort of accident,” he said.
Firo tried it a few times, adding a heart to every message until he got it to create a pop-up on his own TweetDeck dashboard.
He then announced triumphantly: “Vulnerability discovered in TweetDeck. \ o /”
Firo let Twitter know about the vulnerability as soon as he found it. But it was too late.
Others in the hacker community noticed, and shortly thereafter, a mass TweetDeck hijacking ensued.
The message from Twitter user @derGeruhn was shared more than 37,000 times. Many undid the retweet action trying to peel back the annoyance. People around the world were affected (as were a few of us at CNN, including me, my editor, David Goldman, and CNN’s Crossfire account).
But no actual damage was reported. It was a harmless, brief Twitter disruption, little more than an annoyance.
Shortly after the incident, Twitter announced it fixed the problem. The company instructed users to simply log out of TweetDeck, then log back in.
As for Firo, a computer science student at an Austrian technical institute, he said he feels terrible about the whole thing.
“It’s horror that TweetDeck made that mistake,” he said. “It’s horror that [hackers] are using this issue. I don’t know. I’m sad in a way.”