Skip to content

Twitter’s Shadow Ban vulnerability is now official

  • by
  • 3 min read

As Twitter’s code goes open-source on Github as part of its commitment to transparency, its “shadow ban” algorithm vulnerability has been assigned a CVE number as an officially recognised vulnerability, CVE-2023-29218. The flaw was first discovered by security researcher Federico Andres Lois in Twitter’s source code and has since been found by others as well. 

Lois’ vulnerability writeup explains that the bug gives botnet armies the ability to manipulate the Twitter algorithm using mass blocks, unfollows and abuse and spam report that forces it to show specific accounts less in Twitter’s recommendation engine, cutting off the account’s reach on the platform. 

How to make your Twitter account private? In 4 simple steps

The bug’s incredibly easy to reproduce as well. All you have to do is find a group of people and follow a specific target in preparation. Unfollow them a few days later, then report a few posts, and then mute the user before completing them all together. The more people follow this sequence, the more severe of a hit the target’s account takes. 

There’s nothing a user can do to get rid of it either as they have no way of knowing if they’ve been “shadow-banned”. The penalty can’t be reverted either because it has nothing to do with the user’s behaviour on the platform. Finally, regardless of how much a particular post is boosted, with enough people applying enough signals, the multiplier gets “incredibly low”. 

Twitter owner Elon Musk also seems to be aware of the vulnerability and the botnets or groups abusing it to crush accounts. That said, he doesn’t seem particularly concerned about it, giving out a cryptic response to one person who tweeted about the issue and offering a million-dollar bounty to anyone who finds out where these botnets originate.

There are even apps that allow just about anyone to build or weaponise this behaviour. Examples stated by Lois include the Block Party, Twitter Block Exchange and Block Together. Even though Block Together was shut down in January 2021, it had over 303,000 registered users, 198,000 users subscribing to at least one list, 4,500 users offering a list with at least one subscriber and 3.7 billion actions. 

In the News: Microsoft brings Bing Chatbot to SwiftKey

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>