Twitter bug: Make anyone follow you on Twitter

I would guess this exploit has always been possible until today? What's interesting is that someone has probably been wielding this secret power well before it got outed here on hacker news.

Official:<p><a href="http://status.twitter.com/post/587210796/follow-bug-discovered-remedied" rel="nofollow">http://status.twitter.com/post/587210796/follow-bug-discover...</a>

amazing. They found out, it seems: right now everyone seems to have 0 following and 0 followers.

Its coincidental that Conan tweeted this message a couple days ago:<p><i>"If it ever says I’m following more than one person, I’ve been hacked. I’m a completely monogamous Twitterer—I only follow Sarah Killen."</i><p><a href="http://twitter.com/ConanOBrien/status/13631062967" rel="nofollow">http://twitter.com/ConanOBrien/status/13631062967</a>

If you tweet “accept [Twitter Username]”, the other user will automaticly follow you.<p>eg. "accept snoopdog"

Wow, this works. SnoopDogg is now following me: <a href="http://twitter.com/snoopdogg" rel="nofollow">http://twitter.com/snoopdogg</a>. I'm the cartoon figure.

I don't think they've actually wiped out your followers and people you follow. I think they just prevented us from accessing those tables because I'm still getting tweets from people I follow, I just can't see the lists.

Wondering if there will be repercussions for people using this, or if they are able to track it? They aren't able to keep a lot of logs due to the volume.

Twitter damage control: TRUNCATE followers;

I can't believe they didn't create an OOB mechanism for accept/deny requests, especially since they send so much meta data w/ each tweet anyway.<p>This seems like an extremely basic design flaw.

Heh, I used this a bunch of times. It did work just fine, I had all sorts of people following me who really shouldn't care about me. And now I have 0 followers.

Sweet works for me. Check my followers: <a href="http://twitter.com/chegra" rel="nofollow">http://twitter.com/chegra</a>

the user who found this says he was trying to tweet "accept pwnz" where accept is a music group name.

The Turkish user who found the bug explains it here (in Turkish): <a href="http://inci.sozlukspot.com/e/4266098/" rel="nofollow">http://inci.sozlukspot.com/e/4266098/</a><p>And people wondering why Axl Rose is following him here :) <a href="http://www.mygnrforum.com/index.php?showtopic=164026&#38;st=0" rel="nofollow">http://www.mygnrforum.com/index.php?showtopic=164026&#38;st=...</a>

That's an utterly insane bug! Some kind of debug accidentally left in? Or an admin phrase not authorised properly?

better question: does it produce a full follow ie- if i did this bug, would billgates actually see me in his stream? OR does it just increase the follower count+i show up on his sidebar. if its the former, then wow. I know they're clearing it out now, but somebody must have been using this for a while.

Update (6:30 PM PST): We’ve finished our cleanup of the spurious followings generated a result of this bug. If you are still seeing folks you are following who you didn’t choose to follow, please use the block or unfollow tools to remedy.<p>Obviously, their so called "cleanup" is incomplete, at least for me :)

Allegedly fixed, twitter is working on rolling back abuses of the hack.<p><a href="http://status.twitter.com/post/587210796/follow-bug-discovered-remedied" rel="nofollow">http://status.twitter.com/post/587210796/follow-bug-discover...</a>

Yes, this does work. Now what's the opposite verb to make someone unfollow me?

watch everyone play!<p><a href="http://search.twitter.com/search?q=accept" rel="nofollow">http://search.twitter.com/search?q=accept</a>

Wow, tested and verified.<p>Somebody is working late tonight.

I wonder if they are going to be able to undo this. Do they have a two sided log of the follow process? If it's just one-sided, they may be able to fix the bug but not to reverse the damage.

Interesting. My "following" and "followers" counts just dropped to 0.

Jason Calacanis dream come true :P

Seems that the fix is just a filter. Is anyone else trying to bypass with html ascii? A few minutes ago, a prompt with the html ascii returned a +0x36 on every char. Now it does not give feedback.<p>"accept BillGates": &#38;#61 ;&#38;#63 ;&#38;#63 ;&#38;#65 ;&#38;#70 ;&#38;#74 ;&#38;#20 ;&#38;#42 ;&#38;#69 ;&#38;#6C ;&#38;#6C ;&#38;#47 ;&#38;#61 ;&#38;#74 ;&#38;#65 ;&#38;#73 ;<p>Maybe they already <i>really</i> fixed this bug (I hope).

There could be notoriety for anyone who does this to Conan O'brien. He only follows one person AFAIK.<p>Edit: Looks like this probably already happened.

Whatever it was, got removed or keeled over...

Even without this bug, I dont think they should still allow commands via tweet at all. It made sense when most tweets were via SMS, but not anymore...Maybe for emerging markets with heavy SMS usage, add a 2nd number to send commands to isolate the two?

They appear to be working on some sort of fix right now.<p>If you look at "following" lists, everything is showing up as zero for me right now, as in it shows that I'm not following anyone. All other users that I check are also showing that they aren't following anyone.

Oooo approaching 2012 ;) Louisiana oil spill. Massive Twitter bug. Sticky finger Dow collapse. Facebook losing it's privacy mojo.<p>And to top it off, one line of code I checked in late last night prevented 200 new users from signing up on my freshly minted site.

It appears that they just wiped everyone's list of followers? My feed still works though.

This is up there with putting everybody in a root terminal by default on their Androids.

Everyone shows 0 followers, but your stream still shows those you follow. Interesting.

BBC has a report on this:<p><a href="http://news.bbc.co.uk/2/hi/technology/10106166.stm" rel="nofollow">http://news.bbc.co.uk/2/hi/technology/10106166.stm</a>

Exploit is fixed, and follower lists are rolled back, but they didn't do a perfect job...<p>Felicia Day is still following me. ^-^

Link doesn't work - does a server hammering lead to a 404? I didn't know it could...

I would not want to be in the Twitter offices today. Good day to call in sick.

Is it broken now? Both followers and follow count is 0 now?!

Now I am getting a 502 when I try to post accept messages.

Okay, all followers of everyone just dropped to 0...

here is the official twitter status blog: <a href="http://status.twitter.com/" rel="nofollow">http://status.twitter.com/</a>

Wow they fixed that really fast.

mirror?

EDIT: My original message invited people not to try this. It turns out that everyone's counter is showing zero followers, regardless of whether you tried the hack or not. Thanks Travis for pointing this out. I was misled by my desktop client which cached my follower number.