Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug

The chunk of internal source code Twitter released the other week contains a "shadow ban" vulnerability serious enough to earn its own CVE, as it can be exploited to bury someone's account of sight "without recourse."

The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that's said to power Twitter's For You timeline. This system was made public by Twitter on March 31, adding to the libraries of open source software it already released over years, long before Elon Musk took over.

That recommendation engine, we'd like to quickly note, seems more of a curiosity than anything else: while it shows what kinds of tweets and engagement are deemed important or harmful to Twitter, we're not sure there's enough there to do anything terribly practical with it, in terms of building your own social network or offering to improve Elon's. It's more marketing sauce than open source.

According to Lois's study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter's recommendation algorithm treats negative actions. 

As a result, Lois said, Twitter's current recommendation algorithm "allows for coordinated hurting of account reputation without recourse." Mitre has assigned CVE-2023-23218 to the issue.

Because this bug is in Twitter's recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially "shadow-banned," and won't show up in recommendations despite the user being unaware they've been penalized. There seems to be no way to correct that kind of action, and it ideally shouldn't be possible to game the system in this way, but it is.

Lois pointed to several examples of Twitter users encouraging mass follows and unfollows, blocking and other actions that have disproportionately negative weight on targeted accounts as examples that the behavior is being exploited in the wild. Lois also said apps such as Block Party, which allow Twitter users to mass-filter accounts, are formalized tools that - whether intentional or not - end up having the same effect on users who run afoul of block lists. 

A number of Twitter users have said the bug could be exploited by botnet armies, and it didn't take long for Twitter owner Elon Musk to catch the scent of his favorite Twitter conspiracy on the wind. 

• Twitter scores legal hat trick with three cases filed against it in one day
• Paid and legacy Twitter verification now indistinguishable
• Judge grants subpoena to ID Twitter source code leaker
• Musk said Twitter would open source its algorithm – then fired the people who could

When one Twitter user suggested Musk should fix the issue by only allowing mutes, blocks, and reports from Twitter users with a blue check to affect the algorithm, Musk tweeted that he wanted to know "who is behind these botnets."

"Million dollar bounty if convicted," Musk said, though what is meant by conviction is anyone's guess. Don't rush out to prove the existence of those botnets, either - if Musk can't even pay a $7,000 bill for a swag bag it's unlikely he's going to dole out a cool million to a Twitter user claiming to have proof of a botnet conspiracy. 

We asked Twitter for comment on Musk's tweet, and a few other aspects of this story, and we didn't receive a serious response, just a poop emoji as expected.

"No global penalty should be applied because you can game them pretty easily, all penalties (if any) should be applied at the content level," Lois pointed out in the "expected behavior" portion of his bug report. 

This, of course, would require Twitter to have a moderation team, which was likely axed along with the bulk of Twitter's staff when Musk took over in November of last year.

The other obvious fix would be applying time entropy on negative signals, though Lois said the structure of Twitter's recommendation algorithm would allow that sort of feature to be easily overcome by repeatedly following/unfollowing accounts every 90 days, for example. 

"This tactic can be repeated indefinitely," Lois said. ®