I would guess this exploit has always been possible until today? What's interesting is that someone has probably been wielding this secret power well before it got outed here on hacker news.
Or, is there anybody whose career took off due to this bug? For example, a musician who got signed primarily because all of the top 50 music producers were following him on twitter.
I have written a script to follow 1000 users on my niche every day. I find that around 15% of users follow me back. In the next couple of days, I remove the rest 85%. I have been doing this for a few months now and I have a few thousand followers on a few twitter accounts.
I have set up websites for each of those niches and get decent amount of traffic though twitter.
Been banned the first few times, but I have found my ways around it (mostly).
Twitter is not a community. Twitter is a tool. A community can use Twitter, but I think describing spamming Twitter as destroying a community is disingenuous. The success of email, usenet and blogs/microblogs etc depend on their openness and easy access to all. Which also means people can and will spam them. So spam on twitter should be seen as a natural and nessecary side-effect, not the end of twitter. Berating the spammers will only increase your blood pressure - the spammers, tweeters and Twitter itself will continue as always.
I disagree with the "it's only Twitter" because Twitter is becoming increasingly important to me, but yeah, not worth getting angry about. At least that's what I tell myself.
If they are providing actual value, and people care enough to follow them back - where's the bad for the world part? Unless it's just selling vi4gr4, then perhaps. But they're not actively spamming people (unless they follow them back, in which case they opted in.)
I'd actually love being marketed to this way, and I think it is a viable way of allowing the marketing you want into your life. As opposed to "hot girls are waiting for you on Zoosk"
Instead of manually finding interesting people on my niche, I set my criteria and let my program do the dirty work for me. What's wrong with it?
I don't even spam people. I send one link to my site per every 5 witty and inspirational quotes. A few people that I met over there have contributed to my site as guest bloggers.
I am not doing anything evil - just automating something that I would hate to do manually.
You're a waste of space. I hope your accounts all get suspended. Witty and inspirational quotes? Wow, I guess your followers should feel blessed to find themselves at the receiving end of your awesome RSS'ed wisdom.
Spammers like you end up making people judge Twitter as "more spam" and giving it up before they've really tried it properly.
Your followers are probably more likely than normal users to give up Twitter because it's just pointless noise.
Simple utilitarian argument against what you're doing: if 10% of the Twitter population did what you do, Twitter would become mostly useless.
I really hope they write scripts to detect and ban you.
An ad hominem, also known as argumentum ad hominem (Latin: "argument toward the person" or "argument against the person"), is an attempt to persuade which links the validity of a premise to a characteristic or belief of the person advocating the premise. The ad hominem is a classic logical fallacy.
It's not an ad hominem, it's an outright insult. I am not attacking his character to win an unrelated argument. I am just attacking his character.
I'd suggest vigorously arguing his ideas, not his character. I'd actually be really interested in reading a vigorous discussion of "To bot or not to bot" as it relates to twitter, Facebook and Buzz.
I think discussing where the line is between automating specific marketing tasks and spamming lies is a really interesting question. I'd really enjoy reading both of you vigorously defend your oppposing points of view.
But, this discussion has now degenerated into insults which robs me of the potential insights that both of you might have on the situation.
I feel that posting insults also communicates to noob HN readers that insults are okay in this community, when in fact, it's not. One of the reasons that people like you and I have felt compelled to heavily invest our time here over the years is because we've generally managed to keep insulting comments at bay. :)
Ok, I'll avoid devolving to insults in the future (though for this specific conversation it's a bit late). Thanks for taking the time to make that point.
For the sake of pointing out the obvious, Twitter already is mostly useless. Anything the previous poster can do to destroy the remainder, I'm all in favor of.
I've often wondered how much influence one really gains doing the follow/unfollow method. I mean, I suspect most of these types are just "social media coaches" following other "social media coaches". I suspect most accounts that have roughly the same number of followers and following above 500 are like this. I'd be interested in seeing a CTR for links published like this (though, not so interested that I'd do this scummy thing). Really if you're following over a thousand people, are you really paying attention to any?
This is very annoying. If I didn't knew some one and he/she was following me I just blocked them. I just left Twitter some time ago (feeds are better) and I am glad I did.
You're not the first or last, I know I used scripts like this in the past (smaller scale). There were even services built around it back a while ago... the names elude me but they offered 10 or 20 new followers per day based on keyword. It was a good way to add relevant people as you used it.
FYI: twitter did fix this problem somewhat. After 2000 following you need to have a ratio within 10%. So following 2001 (or was it 2002) requires 1800 followers. This strategy only works for the first 2000. Presumably, he's got to clean up quite a few times before breaking past this, an easier solution would be drop it down to 1000 or even 500, something no normal person would add in a day (but even I have found cases where I add more than this in a day legitimately - within a small niche I do business, to add everyone relevant it's around 700-900 I think).
Finally, how do you find the traffic quality? From what I've seen it's crap. I've pushed ~1 million clicks in the last 2 months or so and it's pretty worthless in my experience. I think are a lot of bots and stat services just hitting it, definitely not real traffic.
That's true for a lot of shortcuts, hacks, and tricks. People will only tend to reveal tricks if they have no economic value to them (or if using them is so illegal that they'd prefer the fame and respect than the jail time ;-))
It's not that writing "accept [username]" is a bug — the bug is that you can use it to accept people who haven't asked to follow you. Similarly, OK buttons in dialogs are not a bug, but it would be a bug if they all had the same effect as the OK button in the dialog "Are you sure you want to erase your boot drive?"
They specifically made a feature that allows you to respond to follow requests by tweeting "accept username". The bug is not checking that the person has actually requested to follow you when processing that response.
By the same logic, a crasher because you forgot to check for NULL is an oversight rather than a bug. Both are cases of checks that should have been done and incorrect behaviors caused by failure to perform those checks. I say, if a piece of code does something it isn't intended to do or fails to do something it is meant to do, that's a bug. The bug might be the result of a poor design decision, but unless the behavior is intentional, it's a bug.
I wasn't aware that the feature was public. If it was a public feature, and it was failing to check that the target had actually added you, then sure - it's a bug.
I assumed that it was more of an intentional 'backdoor'.
As far as I'm aware, it's a feature that's meant to allow users to accept followers by text (there's a separate interface on the website for accepting follow requests). The bug is that it didn't check whether those people had actually requested to follow you. That's what articles on the subject have indicated, anyway.
Except if in fact it's an artifact of their SMS interface, which somehow got exposed, or was forgotten and not removed when needed. In which case I'd consider it a bug, not an bad but intentional decision.
I highly doubt that. From what I'm reading on the Intarwebs, a LOT of people just couldn't resist playing with this exploit. If they truly banned everyone who did a force-follow with this hack I think they would lose a ton of people who are frankly only getting marginal value from Twitter.
I know that if I actually had to rebuild my followee list for "testing" this little hack out I would probably decide it wasn't worth the effort to start over again on Twitter.
Is it an exploit or is it a valid command? I don't think we hacked anything, we just typed in some text that causes people to follow us, for all we know that's a new feature of twitter.
I don't think they've actually wiped out your followers and people you follow. I think they just prevented us from accessing those tables because I'm still getting tweets from people I follow, I just can't see the lists.
Wondering if there will be repercussions for people using this, or if they are able to track it? They aren't able to keep a lot of logs due to the volume.
> They aren't able to keep a lot of logs due to the volume.
That's pretty much untrue.
Anyway, I don't imagine it's too hard to grep the logs for the last day's worth of POST and 'accept .*' and undo all the follows constructed from that.
well, i can tell you right now that my followed and following lists were both just now wiped out, and using the accept bug now produces an internal server error.
edit: seems everyone is at 0/0, but the bug still produces an error for me.
Heh, I used this a bunch of times. It did work just fine, I had all sorts of people following me who really shouldn't care about me. And now I have 0 followers.
This is such an odd bug. I guess it goes to show that nobody knows what strange code which should have been removed four years ago lurks in the heart of Twitter.
better question: does it produce a full follow ie- if i did this bug, would billgates actually see me in his stream? OR does it just increase the follower count+i show up on his sidebar. if its the former, then wow. I know they're clearing it out now, but somebody must have been using this for a while.
I tried it between my main account and a disused one and tweets from the attacking account showed up both through the web interface and through the API.
Update (6:30 PM PST): We’ve finished our cleanup of the spurious followings generated a result of this bug. If you are still seeing folks you are following who you didn’t choose to follow, please use the block or unfollow tools to remedy.
Obviously, their so called "cleanup" is incomplete, at least for me :)
Not quite. accept <username> is a perfectly valid command, but it is designed to allow someone requesting to follow you to follow you. Twitter needed to find accept requests which did not have matching follow requests, which is a bit more effort (but not much, I'd imagine).
As of now the problem appears to be fixed for a lot of people already.
I wonder if they are going to be able to undo this. Do they have a two sided log of the follow process? If it's just one-sided, they may be able to fix the bug but not to reverse the damage.
I suspect the Summize technology is better than they let on, and they can just do a search for tweets starting with "accept." I doubt there are many legit ones like that.
Seems that the fix is just a filter. Is anyone else trying to bypass with html ascii?
A few minutes ago, a prompt with the html ascii returned a +0x36 on every char. Now it does not give feedback.
Even without this bug, I dont think they should still allow commands via tweet at all. It made sense when most tweets were via SMS, but not anymore...Maybe for emerging markets with heavy SMS usage, add a 2nd number to send commands to isolate the two?
Follow and Block make sense as commands you can send through a message. But Accept? Why would you ever be able to control an action on someone else's account? It's rather odd that this exists at all.
I think you've missed the point here. This isn't a command that tells your account to accept follow request, or adds someone to your following list - this is a command that instantly makes other people 'accept' a follow request from YOU. This works completely differently in how it would consider the username parameter, and in that the change is applied to the other person's account, not yours.
They appear to be working on some sort of fix right now.
If you look at "following" lists, everything is showing up as zero for me right now, as in it shows that I'm not following anyone. All other users that I check are also showing that they aren't following anyone.
EDIT: My original message invited people not to try this. It turns out that everyone's counter is showing zero followers, regardless of whether you tried the hack or not. Thanks Travis for pointing this out. I was misled by my desktop client which cached my follower number.
