So apparently this was retweeted by @5SOS, a teen pop band with some 3 million followers, which is why most of the responses are confused teenagers.<p>For some reason this is hilarious to me. Not the pinnacle of responsible disclosure, but no real harm done.
The replies to that tweet are beautiful. Sometimes you forget that not everyone in the world can recognize a cross-site scripting vulnerability when they see one!
What's sad is that not even wrong security was in place here. They didn't even try. There was NO XSS prevention.<p><script>javascript</script> is the first payload you try when looking for the stupidest XSS you can find....
I guess the New York Times uses Tweetdeck[1].
I saw this because several people I follow had retweeted it and the Twitter app notifies you if several of your followers do the same thing. It's a useful feature. If Tweetdeck does the same thing it could make this spread really fast.<p>[1] <a href="https://twitter.com/derGeruhn/status/476764918763749376" rel="nofollow">https://twitter.com/derGeruhn/status/476764918763749376</a>
I wonder if the poster of this "twitter worm" could get in legal trouble for this; it's quite similar to the Samy MySpace worm[1] of a decade ago, where the creator was charged with a felony (they plea bargained out).<p>[1] <a href="https://en.wikipedia.org/wiki/Samy_(computer_worm)" rel="nofollow">https://en.wikipedia.org/wiki/Samy_(computer_worm)</a>
Looks like it might even be starting to loop around?
The Guardian have already scurried an article about it [1].<p>[1] <a href="http://www.theguardian.com/technology/2014/jun/11/twitter-tweetdeck-xss-flaw-users-vulnerable" rel="nofollow">http://www.theguardian.com/technology/2014/jun/11/twitter-tw...</a>