Security News > 2023 > April > Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that's said to power Twitter's For You timeline.

According to Lois's study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter's recommendation algorithm treats negative actions.

As a result, Lois said, Twitter's current recommendation algorithm "Allows for coordinated hurting of account reputation without recourse." Mitre has assigned CVE-2023-23218 to the issue.

Because this bug is in Twitter's recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially "Shadow-banned," and won't show up in recommendations despite the user being unaware they've been penalized.

A number of Twitter users have said the bug could be exploited by botnet armies, and it didn't take long for Twitter owner Elon Musk to catch the scent of his favorite Twitter conspiracy on the wind.

When one Twitter user suggested Musk should fix the issue by only allowing mutes, blocks, and reports from Twitter users with a blue check to affect the algorithm, Musk tweeted that he wanted to know "Who is behind these botnets."

News URL

https://go.theregister.com/feed/www.theregister.com/2023/04/07/twitter_code_cve_substack/