Sophos Cloud Optix
When Twitter launched in 2006, it had to decide what the longest possible message could be.
The limit chosen was 140 characters – which, not at all co-incidentally, means that tweets fit easily into the 161 characters available in mobile phone SMS messages, better known as texts.
This very handily made the newfangled microblogging platform compatible with all mobile phones, back in the days when smartphones with proper internet access and on-screen keyboards were a rarity.
In fact, Twitter-via-SMS never became a thing, but Twitter stuck to 140 characters nevertheless.
Indeed, it’s only recently that Twitter has been toying with the idea of allowing longer tweets, with selected users getting the right to use up to 280 characters in a single message.
Over the weekend, however, a couple of naughty Germans realised that they could beat the 140-limit, and indeed the heady new 280-character experimental limit, by miles (or kilometres, perhaps, given that they were German).
The trick they used has now been blocked by Twitter, but as far as we can see, it was absurdly simple.
Autoshortening
In the early days of Twitter, putting a clickable link into a tweet cost you the full length of the URL, so that a URL like https://nakedsecurity.sophos.com/ used to take up a full 33 characters.
Nowadays, however, URLs are converted automatically by Twitter into a shortened form, such as https://t.co/t3gWnOLePX. (Twitter owns the t.co domain for exactly this purpose.)
The fixed-length code at the end of the new shortened URL (above, that’s the text t3gWnOLePX automatically redirects visitors to the original URL you typed in.
Your tweet is only “billed” for the length of the shortlink, even if your original URL was much longer.
So the German pranksters used a very, very long URL indeed – one that didn’t and couldn’t exist, not least because domain names can never be longer than 64 characters:
https://Tpry6iry6iwy3ziwi35dwdw35iu3wtduayetwuyt33udwtuwy3tdweutu wyetywwsuuwytuqsetuswtuw..[about 27,000 characters]..wutdw5uu.cc/ tsyaut..[about 3000 characters]..auyatyuatutsysutusytysuteusyyust
Despite the unusability and illegality of the enormously long URL in the submitted tweet, it seems that Twitter not only shortened it and accepted it, but also faithfully reconstructed and printed it out whenever the tweet was displayed.
The pranksters didn’t try to embed any sort of legible message in their uebertweet – it looks as though they just hammered down on the keyboard (or used a random keypress generator), but they did manage a length of more than 30,000 characters.
Leute! [Wir] können der Zeichen Limit überschreiten!
Ihr glaubt uns nicht? Hier der ca. 35k Zeichen Beweis.
Dudes! [We] figured out how to exceed the character limit!
Don’t believe us? Here’s a 35,000 character proof.
As you can imagine, a tweet of that length played visual havoc with users who tried to look at it, so Twitter wasn’t pleased at all, and kicked the German pair off Twitter for violating the site’s terms of service.
Apparently, the naughty boys have been readmitted after one of the said that they were sorry – after all, no malware was disseminated; no unlawful content disseminated; no fake news dispersed; and no lasting harm done.
What to do?
If you’re a programmer, there’s a vital lesson in this incident.
Watch out for the sort of security flaws that can happen when you measure things in different ways at different times!
Twitter counted a 30,000-character string as being just 10 bytes long (the length of its t.co shortcode) when figuring out if it would fit into the 140-character limit, but expanded it back to its full 30,000 characters when formatting it for display.
In this case, nothing malicious happened, but there are many analogous cases where exploitable security vulnerabilities could have arisen from this sort of blunder.
For example, if you allocate a memory buffer of 256 bytes to hold a message, then you can’t blindly assume that your buffer is big enough for every possible message of 256 characters.
After all, not all characters fit into one byte. (Chinese characters don’t, for example; nor do emojis and the characters of many other writing systems.)
As any carpenter will remind you, “Measure twice, cut once”!
It’s a bit amusing to think of someone scrolling down and down and down and down…trying in vain to decipher what they surmise just MUST be an important message. I certainly can see myself trying for at least a couple screen spans before deciding I’ve better things to do.
But yes, the programmatic lesson is a good one. Thanks Duck.
Well, the pranksters talk about “crashes”, so perhaps some Twitter clients had trouble displaying the superlong and unexpected messages? At any rate, their behaviour was knowingly disruptive against the live Twitter ecosystem, which explains why Twitter read these jokers the riot act.
For sure… just because one *can* doesn’t mean one *should*
I wonder if this (admittedly short-lived) condition could’ve created and exploited issues of the “buffer overrun” variety.
How many times have we heard developers say; “No one would do THAT!”? My response is, someone will ALWAYS do that.
“In fact, Twitter-via-SMS never became a thing” – it certainly did, I first used Twitter via SMS in the very early days
I spoke colloquially – I meant “it never caught on for very long.” Once apps such as Hootsuite and Tweetdeck showed up, SMS was never going to be anywhere enough control…
it was the best, Stuart. I miss those simple innocent days of getting messages via text and replying via text….no lists, no groups, …bliss
Like phone calls with exactly two participants! (A lot easier to keep track of what you’re talking about.)