Recently, I completed an app called Adjust-A-List. While working on Adjust-A-List, I routinely tried to find any bugs or vulnerabilities in the app. One thing I noticed was that when searching for a user’s lists, Twitter surfaced all of the user’s lists, even “blank lists”- lists that had a title but no users. I didn’t want these blank lists to show up in a user’s list results, so I created some blank lists to see if my code would filter these out.
The Bug
It was here that I noticed a problem. When I created a blank list, it would sometimes create duplicate lists of the same name. I tested this out with several different lists, yet the problem still persisted.
Perhaps something was wrong my account? Curious, I tried it with a different account but still encountered the same issue.
This was odd, I thought, and I expanded the scope of my discovery to other platforms. After testing it out, this issue didn’t appear to exist on the Safari browser, or on mobile. It appeared to solely be a problem in Chrome.
Looking A Bit Closer
I decided to take a closer look at the details of the duplicate lists that were being created. These duplicate lists had the same name and even the same url, but did they have different ID’s? I went to my terminal to figure this out. In order to differentiate between these two lists, I added 1 member to one and added 2 to another.
Lo and behold, check it out! All of the info for these duplicate lists are exactly the same except for the list ID!
List 1
List 2
Reporting the Bug
Wanting to report this to Twitter, I recalled a recent TechCrunch article that detailed a newly created bounty program for reporting bugs.
I didn’t really care about the monetary aspect, I was more curious as to what caused this issue and how it could be resolved.
HackerOne
I submitted this bug to HackerOne, and received an immediate response from a Twitter security engineer. The engineer mentioned that while this certainly appeared to be a bug, it wasn’t a bug with security implications which is what HackerOne is for.
Twitter Developer Community
I then tweeted with another Twitter Engineer about it, who directed me to a Twitter Developer forum where these issues are reported and discussed. I reported this issue there and also received an immediate response.
Evidently, this bug appeared to be a known issue. In fact, I found a lengthy thread on the forum about it (one developer lamented on August 3rd that the thread had been in existence for 34 weeks and the problem hadn’t yet been resolved).
Possible Solution
Perhaps a possible solution to this bug is as follows. Twitter currently allows the possibility of creating a list with the same name. If Twitter wouldn’t allow lists to have duplicate names, a validation could be created that once a user creates a list with a particular name, that name cannot be used again. For example if I create a list called “Sports” Twitter’s code would validate the uniqueness of this name and I wouldn’t be able to create another list called “Sports.” Again this is just pure speculation as I have no knowledge of Twitter’s codebase.
Conclusion
Granted this creation of duplicate lists is a bug, but it’s not a major one along the lines of a SQL Injection, Cross Site Request Forgery, or an Authentication vulnerability. Furthermore, as a prescient Burlington, VT quartet has taught us regarding a Bug: “it doesn’t matter!”
However, while this bug may not be the highest of priorities, I hope it will soon be addressed (from a personal perspective, people might be hesitant to use my app if it creates multiple lists for them :/ ).
I also learned a lot from delving into this topic, and it was lots of fun to try and help resolve an issue for a website that hundreds of millions of people use. I learned firsthand that even the most popular websites in the world aren’t immune to bugs, and also witnessed the beauty of the developer network, where everyone can contribute and try to help one another.
