For a while today, a Twitter bug let anyone force anyone to follow their accounts. It was a hilariously simple trick, and equally bizarre. Even better? This bug was discovered by accident, by a Turkish Twitter user. Here’s what happened…
The initial tip came through another Turkish Twitter user, named Güntekin. His first message frankly sounded ridiculous (Preemptive [sic]:
A Turkish guy named Bora Kırca figared out accidently that if you tweet “accept username”, for example billgates, then bill gates will follow you.
it’s so stupid; but true.
Stupid, but yeah, true. It worked. Gizmodo posted about it. Twitter went nuts, everyone’s follow numbers shot to zero, and Bora’s Twitter account was suspended. But how did he find this thing in the first place? Accidentally? Really? Güntekin explains:
[Bora] likes a group named “Accept” and to show his love, he tweets “accept pwnz”; but instead of seeing this post, he sees twitter user “pwnz” follows him.
He told his girlfriend, and together they started doing exactly what anyone else would have: They made famous people follow them. Then he posted about it on his blog in Turkish. Within hours, this was happening:
Prominent Twitterers were getting, er, Twaped. Then, through Güntekin and people like him, word trickled west.
Right, so that’s evidently how the bug was found, but why was it there in the first place? It was so naked and simple—just type “accept username” and you’ve got a new follower—that its existence strained belief. Why would typing a command like that do anything, much less rip a hole in Twitter’s delicate infrastructure?
Text commands have been with Twitter since the start, and many still work. Type “STATS” and you’ll get a rundown of your Twitter numbers; type “FOLLOW USERNAME” and you’ll follow; Tweet “RT USERNAME” and you’ll retweet a user’s last message. These are all documented.
What’s not documented is the ACCEPT command, which was what made this trick work. It’s not clear what this command is (or was) supposed to do, but it’s pretty clear what it did do.
Update: Reader Rhainor explains:
Its intended use was for people who have their tweets protected. If you try to follow someone who’s protected, instead of instantly following them, it sends a request to the user (“‘username’ has requested to follow you”). To allow them to follow you, you ‘accept’ the request (in my experience, by clicking a button, but for people who rarely use , the text command makes sense).
So far, Twitter can’t do much but wait—for their engineers to clean up the mess, and to figure out exactly how this happened, and how to spin it. We reached out, but were told, understandably, that they are “looking into” our questions. Their official line so far is written like a bug report:
We identified and resolved a bug that permitted a user to “force” other users to follow them. We’re now working to rollback all abuse of the bug that took place. Follower/following numbers are currently at 0; we’re aware and this too should shortly be resolved.
It seems obvious that this bug had been lingering for a while, and that it was just a matter of time before someone caught it. It also seems obvious that Twitter should have caught it before rolling the “ACCEPT” feature into the main site.
Make no mistake: For hours, thousands of people were able to take control of other people’s Twitter accounts with a trick so easy that even the newest Twitterer could execute it. And I’d guess that for some time before it was public, people like Bora were accidentally compelling followers without even knowing it. Twitter was compromised. Though we obviously made ourselves targets, most of our accounts were effectively hacked—someone acted on our behalf, with our public Twitter identities, without our credentials.
In the end, Twitter will clean this up, and they (or we) will cleanse our followed lists. But the fear will, and should, remain: What if this was a little worse? What if a command gave people access to others’ Twitter accounts beyond the ability to force a follow? This was an inconvenience; that would have been a disaster.