I would guess this exploit has always been possible until today? What's interesting is that someone has probably been wielding this secret power well before it got outed here on hacker news.
Its coincidental that Conan tweeted this message a couple days ago:<p><i>"If it ever says I’m following more than one person, I’ve been hacked. I’m a completely monogamous Twitterer—I only follow Sarah Killen."</i><p><a href="http://twitter.com/ConanOBrien/status/13631062967" rel="nofollow">http://twitter.com/ConanOBrien/status/13631062967</a>
Wow, this works. SnoopDogg is now following me: <a href="http://twitter.com/snoopdogg" rel="nofollow">http://twitter.com/snoopdogg</a>. I'm the cartoon figure.
I don't think they've actually wiped out your followers and people you follow. I think they just prevented us from accessing those tables because I'm still getting tweets from people I follow, I just can't see the lists.
Wondering if there will be repercussions for people using this, or if they are able to track it? They aren't able to keep a lot of logs due to the volume.
I can't believe they didn't create an OOB mechanism for accept/deny requests, especially since they send so much meta data w/ each tweet anyway.<p>This seems like an extremely basic design flaw.
Heh, I used this a bunch of times. It did work just fine, I had all sorts of people following me who really shouldn't care about me. And now I have 0 followers.
The Turkish user who found the bug explains it here (in Turkish):
<a href="http://inci.sozlukspot.com/e/4266098/" rel="nofollow">http://inci.sozlukspot.com/e/4266098/</a><p>And people wondering why Axl Rose is following him here :)
<a href="http://www.mygnrforum.com/index.php?showtopic=164026&st=0" rel="nofollow">http://www.mygnrforum.com/index.php?showtopic=164026&st=...</a>
better question: does it produce a full follow ie- if i did this bug, would billgates actually see me in his stream? OR does it just increase the follower count+i show up on his sidebar. if its the former, then wow. I know they're clearing it out now, but somebody must have been using this for a while.
Update (6:30 PM PST): We’ve finished our cleanup of the spurious followings generated a result of this bug. If you are still seeing folks you are following who you didn’t choose to follow, please use the block or unfollow tools to remedy.<p>Obviously, their so called "cleanup" is incomplete, at least for me :)
Allegedly fixed, twitter is working on rolling back abuses of the hack.<p><a href="http://status.twitter.com/post/587210796/follow-bug-discovered-remedied" rel="nofollow">http://status.twitter.com/post/587210796/follow-bug-discover...</a>
I wonder if they are going to be able to undo this. Do they have a two sided log of the follow process? If it's just one-sided, they may be able to fix the bug but not to reverse the damage.
Seems that the fix is just a filter. Is anyone else trying to bypass with html ascii?
A few minutes ago, a prompt with the html ascii returned a +0x36 on every char. Now it does not give feedback.<p>"accept BillGates":
&#61 ;&#63 ;&#63 ;&#65 ;&#70 ;&#74 ;&#20 ;&#42 ;&#69 ;&#6C ;&#6C ;&#47 ;&#61 ;&#74 ;&#65 ;&#73 ;<p>Maybe they already <i>really</i> fixed this bug (I hope).
There could be notoriety for anyone who does this to Conan O'brien. He only follows one person AFAIK.<p>Edit: Looks like this probably already happened.
Even without this bug, I dont think they should still allow commands via tweet at all. It made sense when most tweets were via SMS, but not anymore...Maybe for emerging markets with heavy SMS usage, add a 2nd number to send commands to isolate the two?
They appear to be working on some sort of fix right now.<p>If you look at "following" lists, everything is showing up as zero for me right now, as in it shows that I'm not following anyone. All other users that I check are also showing that they aren't following anyone.
Oooo approaching 2012 ;) Louisiana oil spill. Massive Twitter bug. Sticky finger Dow collapse. Facebook losing it's privacy mojo.<p>And to top it off, one line of code I checked in late last night prevented 200 new users from signing up on my freshly minted site.
BBC has a report on this:<p><a href="http://news.bbc.co.uk/2/hi/technology/10106166.stm" rel="nofollow">http://news.bbc.co.uk/2/hi/technology/10106166.stm</a>
EDIT: My original message invited people not to try this. It turns out that everyone's counter is showing zero followers, regardless of whether you tried the hack or not. Thanks Travis for pointing this out. I was misled by my desktop client which cached my follower number.