Arbitrary code execution

In computer security, Arbitrary Code Execution is something that allows executing code without permission. A good example is cross-site scripting (XSS) attacks which inject client-side scripts into a webpage such as the self-retweeting tweet on TweetDeck.

TweetDeck vulnerability[1]

On June 11, 2014, user @derGeruhn tweeted:

<syntaxhighlight lang="javascript"> <script class="xss">$('.xss').parents().eq(1).find('a).eq(1).click();$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥ </syntaxhighlight>

Everyone who saw the tweet retweeted it automatically. It also displayed an alert saying "XSS in Tweetdeck". Because TweetDeck didn't have any precautionary measures, it only worked for TweetDeck users and the code was only showed and executed for them. The only thing Twitter users saw was the heart. It got 83 thousand retweets before it was fixed.

References

  1. Tom Scott (2014-06-11), How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter, retrieved 2019-04-04