Welcome to open source, Elon. Your Twitter code just got a CVE for shadow ban bug • The Register
The chunk of internal source code Twitter released the other week contains a “shadow ban” vulnerability serious enough to earn its own CVE, as it can be exploited to bury someone’s account of sight “without recourse.”
The issue was discovered by Federico Andres Lois while reviewing the tweet recommendation engine that’s said to power Twitter’s For You timeline. This system was made public by Twitter on March 31, adding to the libraries of open source software it already released over years, long before Elon Musk took over.
That recommendation engine, we’d like to quickly note, seems more of a curiosity than anything else: while it shows what kinds of tweets and engagement are deemed important or harmful to Twitter, we’re not sure there’s enough there to do anything terribly practical with it, in terms of building your own social network or offering to improve Elon’s. It’s more marketing sauce than open source.
According to Lois’s study of the engine bug he found, coordinated efforts to unfollow, mute, block and/or report a targeted user applies global reputation penalties to the account that are practically impossible to overcome based on how Twitter’s recommendation algorithm treats negative actions.
As a result, Lois said, Twitter’s current recommendation algorithm “allows for coordinated hurting of account reputation without recourse.” Mitre has assigned CVE-2023-23218 to the issue.
Because this bug is in Twitter’s recommendation algorithm, it means that accounts that have been subject to mass blocking are essentially “shadow-banned,” and won’t show up in recommendations despite the user being unaware they’ve been penalized. There seems to be no way to correct that kind of action, and it ideally shouldn’t be possible to game the system in this way, but it is.
Lois pointed to several examples of Twitter users encouraging mass follows and unfollows, blocking and other actions that have disproportionately negative weight on targeted accounts as examples that the behavior is being exploited in the wild. Lois also said apps such as Block Party, which allow Twitter users to mass-filter accounts, are formalized tools that – whether intentional or not – end up having…
