Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-29218: Recommendation Algorithm Manipulation via mass blocks · Issue #1386 · twitter/the-algorithm

The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.

CVE
Open in Source
#vulnerability#dos#botnet

The current implementation allows for coordinated hurting of account reputation without recourse. The most general behavior is that global penalties are prone to be gamed (all of them). In other time I would just report this information using a vulnerability channel, but given that this is already popular knowledge there is no use to do so.

The reason is that there is nothing a user can do to get rid of it because:

  • The user can’t know that it is been penalized.
  • The user can’t revert the penalty because it is not in his hands to change behavior to avoid it
  • They accumulate and survive the actual tweet.
  • No matter how much you boost, with enough people applying enough signals (there are many) the multiplier gets incredibly low.

To Reproduce
Organize a botnet or a group of people with known similar views.
Request your followers to block someone for ‘reasons’ (it doesn’t matter here if the reasons are valid or not). This is exploited by political parties, group-think, etc. Now that this is also known, the vulnerability is plain obvious.

Examples (using them to show the behavior does exist, not to punish the users for anything I had a lot to choose from):

https://twitter.com/BlockTheBlue
https://twitter.com/ayybeary/status/1642280442047995906
https://twitter.com/Kaptain_Kobold/status/1642379706925477888
https://twitter.com/MAYBEEELI/status/1642300879649792004
https://twitter.com/glenda_aus/status/1642282010462007296

There are apps that allow you build/organize/weaponize this behavior.

  • https://www.blockpartyapp.com/
  • https://www.reddit.com/r/GamerGhazi/comments/31s03s/twitter_blocklist_exchange/
  • https://blocktogether.org/

While already shutdown, these are some of the stats for BlockTogether:

  • 303k registered users.
  • 198k users subscribing to at least one list.
  • 4.5k users offering a list, with at least one subscriber.
  • 3.7B actions.

Steps to reproduce the behavior:

  1. Organize a group with a few friends (I have groups with 40+)
  2. Find a target, and execute the following tasks in order
  3. They should follow in preparation, a few days later unfollow first, [just doing this in 90 days intervals also hurts]
  4. Then they will report a few “borderline” posts.
  5. Then they will mute.
  6. Then they will block.

Expected behavior
No global penalty should be applied because you can game them pretty easily, all penalties (if any) should be applied at the content level.

Related news

Twitter 'Shadow Ban' Bug Gets Official CVE

A flaw in Twitter code allows bot abuse to trick the algorithm into suppressing certain accounts.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE