Twitter confirms ‘auto-follow’ bug reports: For a while today, Twitter would let you force anyone to follow you. It was a hilariously simple trick, and equally bizarre. Even better? This bug was discovered by accident, by a Turkish Twitter user. Here’s what happened.

Our tip came to us through another Turkish Twitter user, named Güntekin. His first message to us, which frankly sounded ridiculous. Preemptive [sic]:

A Turkish guy named Bora Kırca figared out accidently that if you tweet “accept username”, for example billgates, then bill gates will follow you.

it’s so stupid; but true.

Stupid, but yeah, true. It worked. We posted about it. Twitter went nuts, everyone’s follow numbers shot to zero, and Bora’s Twitter account was suspended. But how did he find this thing in the first place? Accidentally? Really? Güntekin explains:

[Bora] likes a group named “Accept” and to show his love, he tweets “accept pwnz”; but instead of seeing this post, he sees twitter user “pwnz” follows him.

He told his girlfriend, and together, they started doing exactly what anyone else would have: They made famous people follow them. Then he posted about it on his blog, here, in Turkish. Within hours, this was happening:

Twitter’s Response

So far, Twitter can’t do much but wait—for their engineers to clean up the mess, and to figure out exactly how this happened, and how to spin it. We reached out, but were told, understandably, that they are “looking into” our questions. Their official line so far is written like a bug report:

We identified and resolved a bug that permitted a user to “force” other users to follow them. We’re now working to rollback all abuse of the bug that took place. Follower/following numbers are currently at 0; we’re aware and this too should shortly be resolved.

It seems obvious that this bug had been lingering for a while, and that it was just a matter of time before someone caught it. It also seems obvious that Twitter should have caught it before rolling the “ACCEPT” feature into the main site.

Make no mistake: For hours, thousands of people were able to take control of other people’s Twitter accounts with a trick so easy that even the newest Twitterer could execute it. And I’d guess that for some time before it was public, people like Bora were accidentally compelling followers without even knowing it. Twitter was compromised. Though we obviously made ourselves targets, most of our accounts were effectively hacked—someone acted on our behalf, with our public Twitter identities, without our credentials.

In the end, Twitter will clean this up, and they (or we) will cleanse our followed lists. But the fear will, and should, remain: What if this was a little worse? What if a command gave people access to others’ Twitter accounts beyond the ability to force a follow? This was an inconvenience; that would have been a disaster.

We will be happy to hear your thoughts

Leave a reply

Fever Magazine
Shopping cart