The Real Story Behind Twitter's Ridiculous Follow Bug

For a while today, a Twitter bug let anyone force anyone to follow their accounts. It was a hilariously simple trick, and equally bizarre. Even better? This bug was discovered by accident, by a Turkish Twitter user. Here's what happened.

Our initial tip came to us through another Turkish Twitter user, named Güntekin. His first message to us, which frankly sounded ridiculous. Preemptive [sic]:

A Turkish guy named Bora Kırca figared out accidently that if you tweet "accept username", for example billgates, then bill gates will follow you.

it's so stupid; but true.

Stupid, but yeah, true. It worked. We posted about it. Twitter went nuts, everyone's follow numbers shot to zero, and Bora's Twitter account was suspended. But how did he find this thing in the first place? Accidentally? Really? Güntekin explains:

[Bora] likes a group named "Accept" and to show his love, he tweets "accept pwnz"; but instead of seeing this post, he sees twitter user "pwnz" follows him.

He told his girlfriend, and together they started doing exactly what anyone else would have: They made famous people follow them. Then he posted about it on his blog, here (NSFW), in Turkish. Within hours, this was happening:

The Real Story Behind Twitter's Ridiculous Follow Bug

Prominent Twitterers were getting, er, Twaped. Then, through Güntekin and people like him, word trickled west.

The Real Story Behind Twitter's Ridiculous Follow Bug

Uh, What?

Right, so that's evidently how the bug was found, but why was it there in the first place? It was so naked and simple—just type "accept username" and you've got a new follower—that its existence strained belief. Why would typing a command like that do anything, much less rip a hole in Twitter's delicate infrastructure?

Text commands have been with Twitter since the start, and many still work. Type "STATS" and you'll get a rundown of your Twitter numbers; type "FOLLOW USERNAME" and you'll follow; Tweet "RT USERNAME" and you'll retweet a user's last message. These are all documented.

What's not documented is the ACCEPT command, which was what made this trick work. It's not clear what this command is (or was) supposed to do, but it's pretty clear what it did do.

Update: Reader Rhainor explains:

Its intended use was for people who have their tweets protected. If you try to follow someone who's protected, instead of instantly following them, it sends a request to the user ("'username' has requested to follow you"). To allow them to follow you, you 'accept' the request (in my experience, by clicking a button, but for people who rarely use , the text command makes sense).

Twitter's Response

So far, Twitter can't do much but wait—for their engineers to clean up the mess, and to figure out exactly how this happened, and how to spin it. We reached out, but were told, understandably, that they are "looking into" our questions. Their official line so far is written like a bug report:

We identified and resolved a bug that permitted a user to "force" other users to follow them. We're now working to rollback all abuse of the bug that took place. Follower/following numbers are currently at 0; we're aware and this too should shortly be resolved.

It seems obvious that this bug had been lingering for a while, and that it was just a matter of time before someone caught it. It also seems obvious that Twitter should have caught it before rolling the "ACCEPT" feature into the main site.

Make no mistake: For hours, thousands of people were able to take control of other people's Twitter accounts with a trick so easy that even the newest Twitterer could execute it. And I'd guess that for some time before it was public, people like Bora were accidentally compelling followers without even knowing it. Twitter was compromised. Though we obviously made ourselves targets, most of our accounts were effectively hacked—someone acted on our behalf, with our public Twitter identities, without our credentials.

In the end, Twitter will clean this up, and they (or we) will cleanse our followed lists. But the fear will, and should, remain: What if this was a little worse? What if a command gave people access to others' Twitter accounts beyond the ability to force a follow? This was an inconvenience; that would have been a disaster.

Bonus: Here's a video by the band Bora was trying to express his love for:

Click to view<

And that's how a defunct German metal band destroyed Twitter, sort of. UPDATE: Oh, not defunct! Please Accept my apology, Accept.

UPDATE: From Turkish reader Kerem:

I am Turkish and I would like to correct you about your post I mentioned in the subject. The link you gave as the blog of Bora Kırca () is not his blog. It is one of the most ridiculous and hated NSFW social networks in Turkey called Inci Sozluk, which consists of curses and nothing else. You can see what it's all about in the post number 16 of that page and unfortunately most things written in that page translate roughly to that ASCII image.

So the exploited got Turkish 4Chan'd, basically.