
Twitter bug: Make anyone follow you on Twitter - yigit
http://blog.gcg.me/post/587047998
======
savrajsingh
I would guess this exploit has always been possible until today? What's
interesting is that someone has probably been wielding this secret power well
before it got outed here on hacker news.

~~~
rmorrison
Or, is there anybody whose career took off due to this bug? For example, a
musician who got signed primarily because all of the top 50 music producers
were following him on twitter.

~~~
HowardRoark
I have written a script to follow 1000 users on my niche every day. I find
that around 15% of users follow me back. In the next couple of days, I remove
the rest 85%. I have been doing this for a few months now and I have a few
thousand followers on a few twitter accounts. I have set up websites for each
of those niches and get decent amount of traffic though twitter. Been banned
the first few times, but I have found my ways around it (mostly).

~~~
drp
Please stop doing that. It's bad for the world.

~~~
akadruid
Please stop caring. Its bad for your blood pressure.

Seriously, it's only Twitter. Conflict, famine, and poverty are bad for the
world, but Twitter doesn't matter.

~~~
jrockway
Destroying communities for your own personal gain is a problem that extends
much beyond Twitter.

~~~
akadruid
Twitter is not a community. Twitter is a tool. A community can use Twitter,
but I think describing spamming Twitter as destroying a community is
disingenuous. The success of email, usenet and blogs/microblogs etc depend on
their openness and easy access to all. Which also means people can and will
spam them. So spam on twitter should be seen as a natural and nessecary side-
effect, not the end of twitter. Berating the spammers will only increase your
blood pressure - the spammers, tweeters and Twitter itself will continue as
always.

------
ilike
Official:

[http://status.twitter.com/post/587210796/follow-bug-
discover...](http://status.twitter.com/post/587210796/follow-bug-discovered-
remedied)

~~~
axod
Doesn't seem like a bug to me, it looks like a poor design choice. How many
other "special" tweet commands are there?

edit: anyone downmodding care to suggest how putting "accept[username]" in a
tweet would be considered a 'bug'?

~~~
chc
It's not that writing "accept [username]" is a bug — the bug is that you can
use it to accept people who haven't asked to follow you. Similarly, OK buttons
in dialogs are not a bug, but it would be a bug if they all had the same
effect as the OK button in the dialog "Are you sure you want to erase your
boot drive?"

~~~
axod
I still don't understand what you're saying.

It's obviously not a bug. It's a hidden feature. An easter egg. A floor in
their design.

They didn't "accidentally" make a special command in tweets that can cause
others to follow you. They specifically intended for it to be that way.

Suggesting it's a "bug" is silly. Suggesting they "fixed the bug" is
misleading.

~~~
gigantosaurus
They specifically made a feature that allows you to respond to follow requests
by tweeting "accept username". The bug is not checking that the person has
actually requested to follow you when processing that response.

~~~
axod
That's an oversight IMHO. A bad design decision. It's not a bug. But we're
arguing semantics I guess.

Is the feature documented then? I assumed it was a hidden secret thing.

~~~
chc
By the same logic, a crasher because you forgot to check for NULL is an
oversight rather than a bug. Both are cases of checks that should have been
done and incorrect behaviors caused by failure to perform those checks. I say,
if a piece of code does something it isn't intended to do or fails to do
something it is meant to do, that's a bug. The bug might be the result of a
poor design decision, but unless the behavior is intentional, it's a bug.

~~~
axod
I wasn't aware that the feature was public. If it was a public feature, and it
was failing to check that the target had actually added you, then sure - it's
a bug.

I assumed that it was more of an intentional 'backdoor'.

~~~
chc
As far as I'm aware, it's a feature that's meant to allow users to accept
followers by text (there's a separate interface on the website for accepting
follow requests). The bug is that it didn't check whether those people had
actually _requested_ to follow you. That's what articles on the subject have
indicated, anyway.

------
galactus
amazing. They found out, it seems: right now everyone seems to have 0
following and 0 followers.

~~~
HowardRoark
Thank god. Its everyone.

~~~
barnaby
I had the exact same feeling of panic, then relief to find out I'm not alone.

------
obsaysditto
Its coincidental that Conan tweeted this message a couple days ago:

 _"If it ever says I’m following more than one person, I’ve been hacked. I’m a
completely monogamous Twitterer—I only follow Sarah Killen."_

<http://twitter.com/ConanOBrien/status/13631062967>

~~~
zach
Wow, Conan's Twitter account is not only a test, he's got a user story (that
just turned red):

In order to provoke curiosity and amusement

As a celebrity comedy writer and television host

I want to only be shown as following one otherwise-unknown person in Michigan

------
lpgauth
If you tweet “accept [Twitter Username]”, the other user will automaticly
follow you.

eg. "accept snoopdog"

------
maxklein
Wow, this works. SnoopDogg is now following me:
<http://twitter.com/snoopdogg>. I'm the cartoon figure.

~~~
notauser
Bad plan to try this out with an account you value - if they can identify who
has used the exploit they will probably ban you when the dust settles.

~~~
maxklein
Is it an exploit or is it a valid command? I don't think we hacked anything,
we just typed in some text that causes people to follow us, for all we know
that's a new feature of twitter.

~~~
doki_pen
Unfortunately, they can probably do whatever they want with this, whether
people think it's fair or not.

------
bena
I don't think they've actually wiped out your followers and people you follow.
I think they just prevented us from accessing those tables because I'm still
getting tweets from people I follow, I just can't see the lists.

------
tibbon
Wondering if there will be repercussions for people using this, or if they are
able to track it? They aren't able to keep a lot of logs due to the volume.

~~~
sjwalter
They are at least able to tell if you've used it--my account just lost all its
followers. <http://twitter.com/sjwalter>

I'd had a legitimate 30ish followers, used this bug a few times, now 0.

~~~
johns
I think everyone is at 0. I didn't use the bug and I'm at 0/0

~~~
barnaby
confirmed, everyone is at 0

------
fijter
Twitter damage control: TRUNCATE followers;

------
rmorrison
I can't believe they didn't create an OOB mechanism for accept/deny requests,
especially since they send so much meta data w/ each tweet anyway.

This seems like an extremely basic design flaw.

------
sjwalter
Heh, I used this a bunch of times. It did work just fine, I had all sorts of
people following me who really shouldn't care about me. And now I have 0
followers.

~~~
chegra
I went crazy and start adding the top 200 twitter accounts:
<http://twitaholic.com/top100/followers/>

Thought I could sell it afterwards or something. lol

~~~
HowardRoark
I only added top people on my niche!

------
chegra
Sweet works for me. Check my followers: <http://twitter.com/chegra>

~~~
chegra
Game is over, I have zero followers now.

------
yigit
the user who found this says he was trying to tweet "accept pwnz" where accept
is a music group name.

~~~
julio_the_squid
Yeah! BALLS TO THE WALL!

This is such an odd bug. I guess it goes to show that nobody knows what
strange code which should have been removed four years ago lurks in the heart
of Twitter.

------
gokhan
The Turkish user who found the bug explains it here (in Turkish):
<http://inci.sozlukspot.com/e/4266098/>

And people wondering why Axl Rose is following him here :)
[http://www.mygnrforum.com/index.php?showtopic=164026&st=...](http://www.mygnrforum.com/index.php?showtopic=164026&st=0)

------
ErrantX
That's an utterly insane bug! Some kind of debug accidentally left in? Or an
admin phrase not authorised properly?

~~~
jacquesm
Laziness and security by obscurity.

------
jasonlbaptiste
better question: does it produce a full follow ie- if i did this bug, would
billgates actually see me in his stream? OR does it just increase the follower
count+i show up on his sidebar. if its the former, then wow. I know they're
clearing it out now, but somebody must have been using this for a while.

~~~
mortenjorck
I tried it between my main account and a disused one and tweets from the
attacking account showed up both through the web interface and through the
API.

------
tszming
Update (6:30 PM PST): We’ve finished our cleanup of the spurious followings
generated a result of this bug. If you are still seeing folks you are
following who you didn’t choose to follow, please use the block or unfollow
tools to remedy.

Obviously, their so called "cleanup" is incomplete, at least for me :)

------
InclinedPlane
Allegedly fixed, twitter is working on rolling back abuses of the hack.

[http://status.twitter.com/post/587210796/follow-bug-
discover...](http://status.twitter.com/post/587210796/follow-bug-discovered-
remedied)

~~~
tlrobinson
Fortunately for Twitter it's incredible easy to track (/^accept \w+$/)

~~~
InclinedPlane
Not quite. _accept <username>_ is a perfectly valid command, but it is
designed to allow someone requesting to follow you to follow you. Twitter
needed to find accept requests which did not have matching follow requests,
which is a bit more effort (but not much, I'd imagine).

As of now the problem appears to be fixed for a lot of people already.

------
jgrahamc
Yes, this does work. Now what's the opposite verb to make someone unfollow me?

~~~
remi
"block" :P

------
djb_hackernews
watch everyone play!

<http://search.twitter.com/search?q=accept>

------
jeiting
Wow, tested and verified.

Somebody is working late tonight.

------
maxklein
I wonder if they are going to be able to undo this. Do they have a two sided
log of the follow process? If it's just one-sided, they may be able to fix the
bug but not to reverse the damage.

~~~
petercooper
I suspect the Summize technology is better than they let on, and they can just
do a search for tweets starting with "accept." I doubt there are many legit
ones like that.

------
TrevorBramble
Interesting. My "following" and "followers" counts just dropped to 0.

------
thedjpetersen
Jason Calacanis dream come true :P

------
olh
Seems that the fix is just a filter. Is anyone else trying to bypass with html
ascii? A few minutes ago, a prompt with the html ascii returned a +0x36 on
every char. Now it does not give feedback.

"accept BillGates": &#61 ;&#63 ;&#63 ;&#65 ;&#70 ;&#74 ;&#20 ;&#42 ;&#69 ;&#6C
;&#6C ;&#47 ;&#61 ;&#74 ;&#65 ;&#73 ;

Maybe they already _really_ fixed this bug (I hope).

------
nutmeg
There could be notoriety for anyone who does this to Conan O'brien. He only
follows one person AFAIK.

Edit: Looks like this probably already happened.

~~~
dmn001
ConanOBrien was following 190 a few seconds ago, now there are 266 and its
rising.

~~~
barnaby
Now he's at 0 along with everyone else

------
aditya
Whatever it was, got removed or keeled over...

~~~
yigit
i thought tumblr removed the post, but it seems like it is working now.

------
whakojacko
Even without this bug, I dont think they should still allow commands via tweet
at all. It made sense when most tweets were via SMS, but not anymore...Maybe
for emerging markets with heavy SMS usage, add a 2nd number to send commands
to isolate the two?

~~~
julio_the_squid
Follow and Block make sense as commands you can send through a message. But
Accept? Why would you ever be able to control an action on someone else's
account? It's rather odd that this exists at all.

~~~
duskwuff
If you've got your tweets protected (private), you have to _accept_ users to
allow them to follow you.

~~~
julio_the_squid
I think you've missed the point here. This isn't a command that tells your
account to accept follow request, or adds someone to your following list -
this is a command that instantly makes other people 'accept' a follow request
from YOU. This works completely differently in how it would consider the
username parameter, and in that the change is applied to the other person's
account, not yours.

------
mrduncan
They appear to be working on some sort of fix right now.

If you look at "following" lists, everything is showing up as zero for me
right now, as in it shows that I'm not following anyone. All other users that
I check are also showing that they aren't following anyone.

------
blizkreeg
Oooo approaching 2012 ;) Louisiana oil spill. Massive Twitter bug. Sticky
finger Dow collapse. Facebook losing it's privacy mojo.

And to top it off, one line of code I checked in late last night prevented 200
new users from signing up on my freshly minted site.

------
mtinkerhess
It appears that they just wiped everyone's list of followers? My feed still
works though.

------
orblivion
This is up there with putting everybody in a root terminal by default on their
Androids.

------
lukeqsee
Everyone shows 0 followers, but your stream still shows those you follow.
Interesting.

------
RyanMcGreal
BBC has a report on this:

<http://news.bbc.co.uk/2/hi/technology/10106166.stm>

------
araneae
Exploit is fixed, and follower lists are rolled back, but they didn't do a
perfect job...

Felicia Day is still following me. ^-^

------
shrikant
Link doesn't work - does a server hammering lead to a 404? I didn't know it
could...

------
goldham
I would not want to be in the Twitter offices today. Good day to call in sick.

------
dmn001
Is it broken now? Both followers and follow count is 0 now?!

------
jeiting
Now I am getting a 502 when I try to post accept messages.

------
maxklein
Okay, all followers of everyone just dropped to 0...

~~~
maxklein
And the command now gives "internal server error"

------
yigit
here is the official twitter status blog: <http://status.twitter.com/>

------
CoryMathews
Wow they fixed that really fast.

------
lukejduncan
mirror?

~~~
yigit
[http://eu.techcrunch.com/2010/05/10/does-this-twitter-bug-
fo...](http://eu.techcrunch.com/2010/05/10/does-this-twitter-bug-force-anyone-
to-follow-you/)

------
acangiano
EDIT: My original message invited people not to try this. It turns out that
everyone's counter is showing zero followers, regardless of whether you tried
the hack or not. Thanks Travis for pointing this out. I was misled by my
desktop client which cached my follower number.

~~~
travisp
even if you don't try it, you'll lose all of your followers

