How the Twitter bug could have been much much worse

Twitter with egg
Twitter was left with egg on its face earlier this week, when a Turkish heavy metal fan stumbled across a bug in the micro-blogging site that allowed any user to force others to follow them.

17-year-old high school student Bora Kirca, from the Turkish city of Zonguldak, uncovered that if you tweeted the words

accept <username>

then <username> will begin to follow your tweets, even though they have never requested to.

As a result a number of celebrities and other high profile Twitter users found that they were suddenly following complete strangers that they had no interest in.

How to force someone to follow you on Twitter

You might wonder how this chap discovered the flaw. Well, according to a Mashable report, Kirca is a fan of heavy metal band Accept, and when he posted a tweet saying

Accept pwnz

he suddenly discovered that the user @pwnz was now following him.

As news spread about how to force other Twitter users to follow Twitter accounts they weren’t interested in, more and more people on the site exploited the facility.

And that’s why things could have been much much worse. Imagine if this bug hadn’t become quite so public. Picture what could have happened if the people who had uncovered this loophole in Twitter were spammers and hackers, who could have exploited the facility to get innocent users to follow their accounts, and barraged thousands with dodgy and perhaps dangerous links to third party sites.

The opportunities for malware to spread, spam messages to be distributed and phishing scams to flourish, could have been enormous. Thankfully it doesn’t appear that the follow bug was exploited on any significant scale by the bad guys, but it could have been.

To their credit, Twitter responded fairly quickly once knowledge of the bug became mainstream. They disabled the ability to follow other accounts, and reset users’ follower accounts to zero while they fixed their systems.

Twitter comments on follow bug

Questions still remain, however, as to how such a simple flaw was left available for any Twitter user to exploit. The only silver lining is that it wasn’t exploited more maliciously.