Naked Security

Sick of Twitter’s 140-character limit? These guys gave themselves 30,000!

When Twitter launched in 2006, it had to decide what the longest possible message could be.

The limit chosen was 140 characters – which, not at all co-incidentally, means that tweets fit easily into the 161 characters available in mobile phone SMS messages, better known as texts.

This very handily made the newfangled microblogging platform compatible with all mobile phones, back in the days when smartphones with proper internet access and on-screen keyboards were a rarity.

In fact, Twitter-via-SMS never became a thing, but Twitter stuck to 140 characters nevertheless.

Indeed, it’s only recently that Twitter has been toying with the idea of allowing longer tweets, with selected users getting the right to use up to 280 characters in a single message.

Over the weekend, however, a couple of naughty Germans realised that they could beat the 140-limit, and indeed the heady new 280-character experimental limit, by miles (or kilometres, perhaps, given that they were German).

The trick they used has now been blocked by Twitter, but as far as we can see, it was absurdly simple.

Autoshortening

In the early days of Twitter, putting a clickable link into a tweet cost you the full length of the URL, so that a URL like https://nakedsecurity.sophos.com/ used to take up a full 33 characters.

Nowadays, however, URLs are converted automatically by Twitter into a shortened form, such as https://t.co/t3gWnOLePX. (Twitter owns the t.co domain for exactly this purpose.)

The fixed-length code at the end of the new shortened URL (above, that’s the text t3gWnOLePX automatically redirects visitors to the original URL you typed in.

Your tweet is only “billed” for the length of the shortlink, even if your original URL was much longer.

So the German pranksters used a very, very long URL indeed – one that didn’t and couldn’t exist, not least because domain names can never be longer than 64 characters:


https://Tpry6iry6iwy3ziwi35dwdw35iu3wtduayetwuyt33udwtuwy3tdweutu
wyetywwsuuwytuqsetuswtuw..[about 27,000 characters]..wutdw5uu.cc/
tsyaut..[about 3000 characters]..auyatyuatutsysutusytysuteusyyust

Despite the unusability and illegality of the enormously long URL in the submitted tweet, it seems that Twitter not only shortened it and accepted it, but also faithfully reconstructed and printed it out whenever the tweet was displayed.

The pranksters didn’t try to embed any sort of legible message in their uebertweet – it looks as though they just hammered down on the keyboard (or used a random keypress generator), but they did manage a length of more than 30,000 characters.

Leute! [Wir] können der Zeichen Limit überschreiten!
Ihr glaubt uns nicht? Hier der ca. 35k Zeichen Beweis.

Dudes! [We] figured out how to exceed the character limit!
Don’t believe us? Here’s a 35,000 character proof.

As you can imagine, a tweet of that length played visual havoc with users who tried to look at it, so Twitter wasn’t pleased at all, and kicked the German pair off Twitter for violating the site’s terms of service.

Apparently, the naughty boys have been readmitted after one of the said that they were sorry – after all, no malware was disseminated; no unlawful content disseminated; no fake news dispersed; and no lasting harm done.

What to do?

If you’re a programmer, there’s a vital lesson in this incident.

Watch out for the sort of security flaws that can happen when you measure things in different ways at different times!

Twitter counted a 30,000-character string as being just 10 bytes long (the length of its t.co shortcode) when figuring out if it would fit into the 140-character limit, but expanded it back to its full 30,000 characters when formatting it for display.

In this case, nothing malicious happened, but there are many analogous cases where exploitable security vulnerabilities could have arisen from this sort of blunder.

For example, if you allocate a memory buffer of 256 bytes to hold a message, then you can’t blindly assume that your buffer is big enough for every possible message of 256 characters.

After all, not all characters fit into one byte. (Chinese characters don’t, for example; nor do emojis and the characters of many other writing systems.)

As any carpenter will remind you, “Measure twice, cut once”!