
"@" on Twitter - isp
https://twitter.com/intent/user?user_id=71996998
======
ClassyJacket
Slightly related but very interesting: the 2010 Twitter bug where simply
tweeting "Accept [username]" would automatically force them to follow you.

My understanding is that for the sake of simpler interfaces such as SMS, which
they let hold the whole service back for a long long time, they had a "follow
[username]" feature - and if the person had to approve follow requests, it
would send one to them. To accept the request, you just sent "accept
[username]" and the follow would happen. However, they never actually checked
that a request had ever been sent before allowing you to accept it, allowing
you to simply force anyone to follow you with a single tweet.

Next time you make a seemingly obvious mistake, don't feel too bad. Even
Twitter did it.

[https://techcrunch.com/2010/05/10/does-this-twitter-bug-
forc...](https://techcrunch.com/2010/05/10/does-this-twitter-bug-force-anyone-
to-follow-you/)

~~~
smelendez
Facebook had this bug as far as accepting group requests very early on, maybe
around 2010. Early enough that groups were limited to your college.

I wrote a script to accept invitations to every group ID from 1 to 10000. It
even added me to groups that didn't exist yet, presumably just adding my ID
and the group ID to a table. So when someone created a group to rant about me
being in all their groups, I was in it and, as the first member, an admin.

Facebook fixed the bug when I reported it and first kicked me out of my
legitimate groups, then fixed that too, though they didn't pay bounties then.

~~~
pmarreck
> So when someone created a group to rant about me being in all their groups,
> I was in it and, as the first member, an admin.

fucking hilarity

~~~
ionwake
gave me a hearty laugh too wp OP

------
isp
At least two usernameless Twitter profiles exist:

[https://twitter.com/intent/user?user_id=34313404](https://twitter.com/intent/user?user_id=34313404)

[https://twitter.com/intent/user?user_id=71996998](https://twitter.com/intent/user?user_id=71996998)

(credit:
[https://twitter.com/FakeUnicode/status/989868697660477440](https://twitter.com/FakeUnicode/status/989868697660477440)
)

It is possible to retweet-with-quote the tweets, but not to retweet directly
or (as far as I can tell) to link to individual tweets directly.

EDIT: It is possible to link to individual tweets. Added links.

The user says (tweet_id 989794618467409920 -
[https://twitter.com/i/web/status/989794618467409920](https://twitter.com/i/web/status/989794618467409920)
) that there are "many bugs" using the account in various clients.

tweet_id 829989674353573889 (
[https://twitter.com/i/web/status/829989674353573889](https://twitter.com/i/web/status/829989674353573889)
) may be my all-time favourite tweet. (A tweet by @, with name @, contents @)

~~~
enthdegree
How could such an account have been created?

~~~
wpietri
I asked somebody who used to work there, and the answer I got was that there
are a bunch of accounts from back before validation was as tight as it is now.

Which seems reasonable to me. At-replies were not something that Twitter
started with, but instead were community-driven with software support added
later:

[https://blog.twitter.com/official/en_us/a/2008/how-
replies-w...](https://blog.twitter.com/official/en_us/a/2008/how-replies-work-
on-twitter-and-how-they-might.html)

It's a good reminder that it's always easier to relax restrictions than to
tighten them.

But then again, if Twitter early on were run by the sort of people who were
inclined to lock down everything, it might not have evolved enough to be
really useful to people. I hazily remember the Friendster guy getting really
mad that people were creating accounts for non-human things that they loved,
like cities and bars and companies. I think he went on a banning spree.
Instead of saying, "Look how much people love my platform! Let me support them
in their efforts."

~~~
CommieBobDole
If I recall correctly, when Google Plus was new and people were excited about
it, a whole bunch of companies flocked to the site to set up accounts for
their businesses. But Google hadn't launched the "business account"
functionality yet, so they banned them all.

I guess Google Plus and Friendster are good examples of how that mindset works
out.

~~~
Gigablah
Because nobody could conceivably impersonate a business and cause all sorts of
legal and PR issues.

~~~
computerfriend
Just like nobody could impersonate a person?

~~~
Gigablah
That's already a given. We are all, in a way, impersonating other (mostly
insufferable) persons.

------
ldjb
For a while I had my display name (as opposed to @ handle) on Twitter set to
the empty string. It didn't cause major issues as far as I could tell, though
it would cause some Twitter clients to display my tweets unusually.

I achieved this by entering a greater than symbol (>) in the input field.
Twitter presumably tried stripping any HTML tags, which resulted in an empty
string. I'm not sure if this still works; they might have fixed that bug.
Presumably something similar happened with the accounts that have empty @
handles.

~~~
hk__2
> I achieved this by entering a greater than symbol (>) in the input field.
> Twitter presumably tried stripping any HTML tags, which resulted in an empty
> string. I'm not sure if this still works; they might have fixed that bug.

I just tried it and got the following error:

> Name can't include 'invalid characters'

Note how it doesn’t define "invalid characters".

------
frou_dh
It seems a bit gross when usernames and normal pages are mashed into the same
namespace, e.g.

[https://twitter.com/search](https://twitter.com/search)

I guess Github does the same:

[https://github.com/pulls](https://github.com/pulls)

Reddit has the nice /u/... thing, but I suppose that is a bit awkward when
saying URLs out loud.

~~~
kiliankoe
Especially since it forces you to basically map out your entire site before
letting users register accounts. Or you rename users squatting your routes
later on, which seems like a terrible idea.

~~~
eddyg
Or, you take advantage of lists like this[0] and make sure users can’t pick
names that would be “problematic”.

[0] [https://zimbatm.github.io/hostnames-and-usernames-to-
reserve...](https://zimbatm.github.io/hostnames-and-usernames-to-reserve/)

~~~
kiliankoe
Ah thanks, I was looking for that earlier and couldn't find it :)

------
cromwellian
Reminds me on the old Commodore 64 Quantum-Link service (former version of
AOL), there was a hack called 'Q-Armor' where you could get a username of all
spaces, and no sysops or any chat room managers could kick you, or do anything
to your account.

~~~
rasz
people griefing in online games (hacks/aimbots) often run with nicks like
||||||||||II||I|||||||||||||II1111|||||||IIIIIIIIII||||||||||||

~~~
sizzle
I used to use aim chat booters by a blog named 'esoteric code' program was
called subterfuge. Familiar with it by any chance? I thought it was brilliant.

~~~
alanh
(not downvoting you, but your comment makes no sense at all to me)

------
ChuckMcM
That must be Bobby Droptables twitter account :-)

~~~
sulam
Classic! We named our guild in EQ "NULL", as a joke. People would comment that
we had a problem when they saw us running around with "<NULL>" running over
our head. It bit us on the ass when someone went to Sony's EQ con one year,
and they literally couldn't print out their badge because "your guild name is
NULL? Really?"

~~~
oneeyedpigeon
> they literally couldn't print out their badge

I still don't quite get how this doesn't work. Why are they handling "NULL" as
a special case? What's coercing "NULL" into null?

~~~
sulam
It was due to the way they exported the data. They used a SQL statement, and
if you weren’t in a guild then the SQL would produce NULL. That output was
then used to generate PDF badges, and it tried to do some filtering for NULL
guilds. The person writing that script clearly did not anticipate there
actually being a guild named NULL.

~~~
drb91
NULL or ‘NULL’? There’s a clear and obvious difference there.

~~~
kalleboo
Unless you're using ColdFusion
[https://stackoverflow.com/questions/4456438/how-to-pass-
null...](https://stackoverflow.com/questions/4456438/how-to-pass-null-a-real-
surname-to-a-soap-web-service-in-actionscript-3)

------
geuis
How big is twitter’s engineering department? Their mobile website doesn’t even
load the content of the tweet. Yesterday it was throwing an error that the api
was rate limited. For their own site! They’ve been systematically destroying
their own foundation by alienating the developer community for years and they
can’t even get their own product to work reliably.

~~~
FridgeSeal
Mobile Twitter is maybe the single most useless website I’ve ever had to use
lol.

Clicking on a link to a tweet has 1/20 chance of ever actually loading the
tweet. All other occurrences are evenly split between loading nothing except
the top bar and calling it a day, and throwing an error message. Reloading the
directly or using the reload button they provide will usually result in the
rate limiting message.

I don’t even bother clicking on twitter links anymore. I just hope it worked
for someone else and they paste the contents in the comments.

~~~
c22
I turned off Javascript and it worked fantastically.

~~~
FridgeSeal
I feel like every week I get another reason to turn JS off.

Really says a lot doesn’t it.

~~~
c22
The downside is the (disquietingly common frequency of) sites which return a
jumbled mess of incoherent elements or a blank page(!) when Javascript is
disabled.

------
sygma
Reminds me of some artists who included a script tag in their book title so
that when the book got listed on online shops it would make the page spawn a
JavaScript alert()

~~~
Kliment
Here's a talk by said artists (sorry about the title) that talks about this
and their other work
[https://media.ccc.de/v/34c3-9278-ecstasy_10x_yellow_twitter_...](https://media.ccc.de/v/34c3-9278-ecstasy_10x_yellow_twitter_120mg_mdma)

------
emmelaich
In the very early days of Google, searching for $@ or $* or some other shell-
sensitive character combos produced strange results.

I never did push it to the point of security exploitation.

~~~
blattimwind
I've seen a similar bug in a web forum where someone wondered why "ke$ha" is
rendered as "ke". "ke$DB" was quite interesting.

------
nevi-me
It's a lesson for us to learn when building services that people create
accounts on.

There's another one, [https://twitter.com/@home](https://twitter.com/@home).
It redirects back to Twitter's home page.

I discovered this while looking for "@home", which is a homeware store.

~~~
BillinghamJ
That will happen for any reserved names where it is used for a page rather
than registered by a user. e.g.:
[http://twitter.com/@search](http://twitter.com/@search)

------
dghughes
Michael from Vsauce mentioned this on his Twitter today and mere minutes later
@ replied "Hiya!" and I burst out laughing.

[https://twitter.com/tweetsauce/status/989899710176509952](https://twitter.com/tweetsauce/status/989899710176509952)

~~~
acobster
I thought it was funny and kind of charming that Vsauce is the single account
they follow.

------
cottsak
I love how the routing is all borked and you can't properly interact with that
account.

------
tedmiston
So, it seems like it's not possible to view this person's profile (at least on
the web app in Safari)?

Also can't retweet them.

------
thought_alarm
Perhaps we should go back to Usenet and IRC?

~~~
gukov
Simple things are hard to monetize.

------
warent
Is product quality degrading on the internet over time?

It used to be that once a week or longer I would find some amusing bug. But
now it's not uncommon for that I encounter dozens of bugs daily on various
popular services that are worth $millions or $billions, which is just
obnoxious. Not only that, but usually the services have no way of filing a bug
report or getting in touch with support.

It seems like internet giants are becoming too big for their britches, and
also they're forcing each other into this insane cycle of "ship first, fix
later" just to stay competitive.

What can we do about this, if anything?

~~~
rco8786
You encounter dozens of bugs daily? That doesn’t really pass the smell test.

~~~
jimktrains2
Across multiple services 5hat seems right. So much stuff has broken or buggy
UI it's not funny.

~~~
rco8786
Consider that the bare minimum for dozens is 24...

~~~
jimktrains2
There are _a lot_ of ui bugs. I easily hit 24 an hour with some products.

I probably hit at least 24 bugs a day on my phone. Apps crashing. Back not
working right. Apps popping up and disappearing. Unexpected latency causing
wrong things to be clicked on. They're all just papercuts, but there are so
many of them.

------
tempodox
So, did the devs programming the username field forget to sanitize text input,
or were they just working without a spec? Neither scenario would be
particularly surprising.

------
berendk
This XKCD[1] to my mind.

[1] [https://xkcd.com/1963/](https://xkcd.com/1963/)

~~~
acobster
Same.

------
notyourwork
Another case in the land of per client validation handled differently and
mostly incorrectly.

