Tom thinks we're dumb. (and he's correct)

*_-why-_*

"So today we're talking about the physics of a swing set and *im simplifying massively here* ..."

Nah it’s definitely “AND it works!”

ON MERCH

I was just out grabbing some beer for 13 years ago. Relax, kid. Jesus.

That's.. Deep

Rumors say he's still looking to this day.

Oof

Uuf

Awesome

What a flex

why shouldn't it be

If it is removed, the market will crash.... OooOoooOoooOoo... But I think some bigger sandboxes have been created now, hasn't it ? We can relax.

He outlived Twitter

***** Rather this than something that shows a fake login form or secretly mines your data

didn't the guy get like 5 years in prison or something like that for this?

since the account has still been tweeting since (and the tweet itself wasn't even so much as removed) i doubt it.

white hat+illegal stuff = grey hat good intention then he is a nice guy :)

@92Dups would YOU want someone rummaging around with your websites code with no idea on there intent?

Jacob JP nevernevernevernevernevernevernever

Never

substitute*

"cool"

I got those before. One was a jeopardy champion.

oof where

i know this comment is dead, but link in description to self-retweeting tweet

Hi

a flutter- what?

@@zyugyzarc the yellow pegasus pictured is named Fluttershy. Also, the tweet is still up four years later.

please do that

Well someone did make a KZbin video that knows it’s own url

@@inactive6200 thats very easy though..multiple people have done it years ago and it's not an exploit

I hate your pfp

Master I hate u

You should check out some of his Computerphile videos, like timezones, internationalis(z)ation, and electronic voting. Those are the rants of the century.

I’ve read him that angry, certainly. Really shouldn’t have sent him that email.

To those wondering whether I’m joking, I’m not. I REALLY should not have sent him that email

@@extrahourinthepit ???????????

Google Cendrum Yep, the email was of bad character

yep never ever ever ever ever EVER turned off

The explanation of XSS should be credited to the person who wrote the tweet. That was their purpose.

Yes.

It's a shame that you can only tweet 140 characters otherwise he could have done a lot more!

***** The thing is, you can do a lot more: you only need about twenty characters to embed an external script file hosted elsewhere. That file can be as long as you like, as long as the hosting's up to it...

They could have had it retweet an advert and wrote @justinbieber @ pewdiepie

Though, most browsers have something called the same-origin policy, which will automatically block any attempts to load an external javascript file from a different domain than the page you're on. Typically the best you'll get out of an XSS attack these days is unfiltered input from a form, or from the URL string (a "reflected" vulnerability), or if you're lucky, you'll find a situation like the one in the video where you save your malicious code on the server, and it's loaded up even on simple pages, and neither when you save it, nor when you load it does it filter out risky characters (a "persistent" vulnerability)

@maskyschannel dang, i know, because its totally false. modern js parsers are better than that, with all the exploits fixed

not anything else, bc javascript is a limited language

Despite several attempts,methods,techniques & even the people pretending to be hackers I've encountered,i was finally refereed to this hacker on Instagram who finally gave me all i wanted from my partners mobile phone.If you are in the same shoe as me,i'm referring you to his Instagram page for help[@elitecoding007].

@@danlarkman2450 referees? Shoes? My word association algorithm thinks you're looking for soccer cleats. Is this correct? Oh, no, you don't wear shoes, because you're a bot

Emoji support was added to Tweetdeck only two days ago, which they managed to screw up by not processing them safely. Without the heart emoji stuck on after the closing script tag, the tweet would have been sanitised and all would have been well.

GETTING BACK TOGETHER -Paintspot Infez Wasabi! Like if you agree Reply if you've heard of me

Fo eva? For eva eva?

Iggy Tubmen ?

+Iggy Tubmen Hey look, a tweet by a brony. Let's ignore what the tweet says and hate on something that ISN'T EVEN RELEVANT!

+BigGamer2525 You should go back to school.

SquidPlays no ur a back to school night

BigGamer2525 Your grammar is atrocious. What are you, 9?

Can you actually increment and decrement with js?

of course you can. thats one of the most basic instructions

How do you think cookie clicker works? That thing is pure js

Commentator Instead of increment you could just say X=X+1.

END IF

Here's why: special characters (like < which are needed for tags) are replaced by entities. They render the same as '

I find a smiley! ;

Or the fact that there's an exploit in Windows 10 to create a user with admin privileges through the recovery boot command line (X:).

@@ryannorthup3148 well that would have been nice to know regaining access of my computer

@@ryannorthup3148 and on Linux you can add init=/bin/sh to your boot options. Needless to say, if you have physical access to a computer you can do a lot more than people would assume.

@@ryannorthup3148 Again? Like c'mon windows, it has been already in 7

Suspicious isn't it ? In "real time" !

Its from jQuery...

my response is your username

@@felix56p OOOOOOOHHHHHHHH

both , , and are newlines

HomeGun Maker that was MySpace I think

You forgot the '; --' at the end.

DROP ALL DATABASES

*table falls through the ground*

I did that to my college's login page, the website was down but it did work the next day, I freaked out, thought I crashed the website and they will find me

oops

nice code m8

shh

That's not a nonce. A nonce looks more like b192fc4204

hello

Go away

hmm.. ok...if you want me to (troll face)

krt you're 2 years late

Gigantickookie and still so relevant

trombonista92 using "(troll face)"? Seriously?

How on earth did you do *that* ?!

The Solar Universe *-its-* _an_ -a-*p*_p_

I will have to report you to google for XSS.

Galaxy ⓈⒽⒽ

wait, are those just regional indicators?

yey fellow čech!

@@_HappyRadio_ yeey zdravíčko

I'll do it tomorrow if I remember

@@ascentfevers I think you forgot.

Wow you just did that

KZbin knows we require more Tom Scott.

Yup noticed it too

Tim Stahel Turns out, preferences in television shows have no bearing on intelligence! A hacker with the alias "Pinkie Pie" wins the Chrome hacking event each year! Google it if you don't believe me ;)

+Orghter haxor unlocked. much fear

What do you mean?

Or another superweird one... A self retweeting tweet that hacks the victims computer to make it order 1 chocolate Hersheys bar from Amazon, then within the course of 24 hours, deletes itself

It did not happen in this case it seems, but even when it is non-malicious sometimes they still try to punish you.

the problem is, someone experienced who sees this might do a haarmful tweet just like this, before twitter shuts the feature down. I'd still do it for the fun of it though

@@JulzDrogenstube Right, but that's exactly why this tweet needed to be made. If Andy never made the tweet and twitter didn't know about it, then someone could've done something malicious. Security through obscurity does not work

@@JesusMowsMaLawn A call/email/message to twitter support could have been made. That way the cybersecurity team could have fixed it privately. Publicly exploiting the bug could have attracted people with malintent.

​@@58book Nine times out of ten they just ignore your message. With this tweet, they were forced to fix it immediately, hopefully before anything malicious could be done Obviously I'm not going to say if it was objectively right or wrong, because I'm not the judge of that, but I personally feel that this was justified

They made the tweet as a warning to the Devs, and didn't want to do anything malicious

Anything as long as it fit into 140 characters

@@__8120 linking an external script wouldn't have that constraint, could've written a novel.

That’s being a responsible programmer. An experienced coder has the power to potentially cause a LOT of damage, but it’s the ability to decide whether or not to do the right thing with said knowledge which is important. They did the (almost) right thing and disclosed the bug in a mostly non-destructive way. It’s the whole “just because you can doesn’t mean you should” argument. TL;DR - Not all programmers are dicks who want to break everything!

@@__8120 No you can just do

how so?

@@thaichicken0210 Tweetdeck did sanitize user input except for a bug with emoji that broke the sanitation. Without the emoji the XSS didn't work.

@@thaichicken0210 from the author: "The ❤ was one of the UTF8 characters that got an visual upgrade that day. Before the update it would've displayed in the same font & color as the rest of the tweet. With the released update it was turned into an inline image. To display that HTML code was allowed within a tweet"

Ik u didn't ask but I'm taking gcse computer science and the fact that I understood this comment makes me really happy, thanks

@@chy4e431 That's called sanitazation.

@@chy4e431 sanitizing user input means replecing special characters with escape sequences, such as '

Mrs. Roberts would be proud.

did you just call pikachu a magic cat?

It's kinda sad he didn't make it retweet something offensive about a politician.

All modern politicians are offensive enough on their own, there's no more that it could have done.

Just follow a politician on Twitter if you feel like reading some obnoxious tweets. There are some really stupid people out there.

I know him, he's a nice guy and very friendly :)

@MikatGaming yes, if the website or app is not properly protected from it. That script would most likely be longer than the maximum allowed characters though.

I think i just had a stroke while trying to read that.

Or you could not because its a felony to even attempt it

TIMΞ СнΛИGΣ which law exactly? Because there are very few things that are illegal to even attempt that aren’t just a separate crime.

@@wolbobus2130 Lmao, I was starting to get angry at myself for not understanding