Today's TweetDeck vulnerability brought the entire service down for hours — but early accounts indicate the problems may have been uncovered by a simple accident. At 8:05EDT, the account @FiroXL tweeted a simple test: some simple tags along with a heart symbol and a German phrase that translates roughly to "I wonder if this will work..." It worked: the tags did their job and the heart symbol, which Twitter would normally mangle, came through TweetDeck just fine, indicating the service was executing commands from plaintext. @FiroXL wasn't aware of the initial vulnerability, discovered back in 2011, but he had accidentally stumbled back onto it.
Ob das wohl funktioniert: Test ♥
— Firo Xl (@firoxl) June 11, 2014
The account belongs to a 19-year-old Austrian named Florian, with fewer than 100 followers and no obvious security connections. Still, many have seized on @FiroXL as the source of today's troubles, and a quick scan of tags in tweets backs them up. His tweet predates the early warnings, as well as the more widespread retweet worms, many of which used the same heart symbol. More importantly, as soon as he discovered the vulnerability, he reported it publicly to @TweetDeck, potentially alerting anyone who was monitoring the mentions of the account. Just hours after @FiroXL's first tweet, users began to see warning messages, delivered through the XSS bug, that TweetDeck was no longer secure.
Reached by The Verge, Florian emphasized that he was simply experimenting with code, and meant no harm to TweetDeck or any users. He also expressed surprise at how quickly the bug cycled out of control. "This was an accident," he said. "I didn't want to make this public. I didn't want to do anything bad."