A kind move that turns massive bug

Twitter’s kind move on new users turns out biggest bug on their history.


recently created account that follow 1m people

Okey, what was it ?

When you sign-up Twitter, they encourage you to follow people for warm-up. And they let you to follow 30–40 person with one click.

It’s nice right ? yeessss

The warm-up and follow people page when you signed-up : https://twitter.com/i/start/follow_interests

Let’s look how this mechanism work

When you click follow button, it sends POST request a service.

It’s ok.

But the problem is the service’s itself. We all know there is some limits on aggresive following behaviour on Twitter but this service doesn’t have any rules and restrictions and this is a big vulnerability.


Post request when you click follow all button on the page.

And yes, you can abuse it.

The details:

Post url : https://twitter.com/welcome/follow_all_friends

Post data :

user_ids[] = user_id that we want to follow ( array merge )

Post headers : ‘Accept’: ‘application/json, text/javascript, */*; q=0.01', ‘Cookie’: ’YOUR COOKIE DATA’, ‘x-phx’ : true, ‘X-Requested-With’ : ‘XMLHttpRequest’

Okey, now i need active user’s ids.

Why active ? Because i want them follow me back fast, so i thought; if i use streaming api in legal ways, i can collect that data easily.

https://gist.github.com/BatuhanK/e1e0b3205ff8466f4bc5

After 2 hours of running, i had 1.5 million user id’s in my redis memory.

Ok, lets follow em !

https://gist.github.com/BatuhanK/3a90669ea52d6fb1dd71

And it worked so smooth, i followed almost 2.5k user per minute.

Thanks for reading, that’s my first English blog post.

You can follow me on Twitter

http://twitter.com/batuhan_katirci

Show your support

Clapping shows how much you appreciated Batuhan KATIRCI’s story.