Arbitrary code execution
an attacker's ability to run any commands or code of the attacker's choice on a target machine or in a target process
In computer security, Arbitrary Code Execution is something that allows executing code without permission. A good example is cross-site scripting (XSS) attacks which inject client-side scripts into a webpage such as the self-retweeting tweet on TweetDeck.
TweetDeck vulnerability[1] change
On June 11, 2014, user @derGeruhn tweeted:
<script class="xss">$('.xss').parents().eq(1).find('a).eq(1).click();$('[data-action=retweet]').click();alert('XSS in Tweetdeck')</script>♥
Everyone who saw the tweet retweeted it automatically. It also displayed an alert saying "XSS in Tweetdeck". Because TweetDeck didn't have any precautionary measures, it only worked for TweetDeck users and the code was only showed and executed for them. The only thing Twitter users saw was the heart. It got 83 thousand retweets before it was fixed.
References change
- ↑ Tom Scott (2014-06-11), How The Self-Retweeting Tweet Worked: Cross-Site Scripting (XSS) and Twitter, retrieved 2019-04-04