Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Massive vulnerability on Twitter?
57 points by hcho on May 10, 2010 | hide | past | favorite | 48 comments
It seems that you can make anybody follow you by tweeting "accept username". Does it work for you too? This looks like an awful vulnerability to me.



I believe the 'Accept' is used when you are in private mode and you get notice that someone wants to follow you. So they don't check if the user is in the request queue. Bad bad programmer.


Good lord, how would twitter recover from that? Possibly by undoing follow's between the moment this bug has surfaced and the moment they suspend following. Meanwhile they'll loose a huge number of legitimate follow request. Terrible stuff.


Or find all statuses that have the pattern of "accept <valid_username>" and then removing <poster> from the <valid_username>'s followers.

That's not the hard part.

The hard part is that it seems that twitter wasn't checking accept messages to see if they were actually requests behind them or if the accepting user is actually a restricted account. So now they have to implement a mechanism that associates follow requests with follow acceptance.

Currently, the exchange is probably something like this behind the scenes: me: @restrictedUserIWantToFollow lemme follow you them: accept guyWhoWantsToFollowMe Everything simply implemented as twitter messages to facilitate cell phone usage. However, the accept message just assumes that there is a valid request being made and adds them to your followers.

Assumption: the mother of all foul-ups.


2nd Assumption: Twitter stores commands that don't get posted as statuses.


I suppose they have a record of all the commands executed.


Follower and followee counts seem to be back. Anyone seeing lost legitimate follows?


Mine were reset to zero but the numbers are the same now.


LOL... sorry but when you say it that way it's actually pretty funny.


If that works there must be other "cool" commands the coder added after implementing this one...


It's not just a false display, either; it's a real follow: I tried it against my main account using a secondary account, posted a tweet, and then checked Twitterrific on my main account. The new tweet was right there at the top.


Ah, the joys of in-band signaling. Now, where'd I put my blue box?


http://twitter.com/conanobrien yep it is working. Conan is following 23 people now. He only follows one person.


All twitter accounts are reporting 0 followers / 0 following. This is going to be a fascinating study on how Twitter manages crises.


It looks like this guy is the one who discovered it:

http://twitter.com/borakrc



Sorry, the profile you are trying to view has been suspended.


Wow, that was quick (or the timing was just right) - it was available 10 minutes ago.


and his account has been suspended.


looks like they are getting on top of it, it is on mashable, and i now have 0 followers and am following 0. nice fun, best pr would be to clean it up, and publish who did what and when (hahah)


Kudos to Twitter for taking action quickly at least.


That's quite funny. I just wanted to try this out and received an internal server error. Now all my followers are gone nor am I still following anyone. Twitter strikes back!


It's 0 for me, and I didn't send an "accept" tweet.


Funny though ;-) Those guys are quick!


The number of conanobrien's "friends" is going up ...


I am one of them! Definitely strange how twitter would allow these "commands"...


It seems they are doing something about it already, the few 'high profile' users I checked now have 0 following and followers.


Looks like they are fixing the problem, everyone has 0 followers and 0 following right now.


Looks like they're working on it... following/followers counts are blank for everyone


Seems to be fixed. I get an internal server error now. Damn, that was interesting.


What about "reject"? Can you get people to UNFOLLOW you as well?


Yeah, block them, then they won't be able to follow you. Although if your timeline is not private they can still read your feed at twitter.com/yourname


you might, but not using reject.


DO NOT DO IT! I just attempted an Accept BillGates and both my "followers" and "following" are reset to zero. this better be a bug. http://twitter.com/faramarzhashemi


Actually, I didn't do it .... and everything is set to 0's on my profile as well. Either it's part of their clean-up, or their attempts to fix this accidentally wiped everybody back to zero.


Yea.. Sorry folks. Pre-mature panic. Looks like a site-wide event


Confirmed and it works, nice catch.

How do you find it?


It works through the mobile web too


Stephen Fry is following me XD


Good thing they have OAuth.


yep me too, 0 and 0 after testing it . . .


conan is following me too.

wow.


obama is following me :)


... ditto. :)


Fail. Whale.


Massive oil spill on the social graph. Cleaning would be just as fun.


Perfect analogy. Looks like Twitter is resetting followers/followees as we speak for people trying it. Is this their 4 story containment unit?


confirmed it works


Just lost all my followers and the people i was following!!!! OMG!!!! Twitter took action.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: