Monday afternoon, in the Cocoanetics offices. Colleague RenĂ© is discussing with us an approach how to centralize some code without inheritance and is drawing on the whiteboard. Suddenly my iPhone begins to vibrate.
My first thought was that this must be the silent ringing when there is an incoming voice call. It didn’t stop even though we tried to ignore it for a few seconds. Then I glanced at the phone and noticed that I was getting a flash flood of push notifications from Tweetbot.
Update: JustUnfollow posted an interview with me.
You know, I am somewhat vain when it comes to my social network. I had enabled all available notifications in Twitter on my iPhone, my iPad and both of my Macs. And all of these were getting hammered. The Mac notification center showed 100…200…300 new notifications, rapidly rising all the while the iPhone was massaging the table.
I checked my follower count, assuming that this was a glitch in Tweetbot or maybe Twitter. But it was rising rapidly. Earlier this morning the follower count on @cocoanetics had slowly grown over several years to 8676, I assume because people liked my theme there limiting personal tweets, reporting interesting news about developments in the Apple world and retweeting brilliant and humorous related tweets. But once our initial laughter had subsided I had shot past 10,000 followers.
But it didn’t stop there. Only the notifications did, because I disabled those in all my Tweetbots. About an hour later the follower number had crossed 25,000, falling short of famous former iOS developer and now exclusive author Matt Gemmell.
And so the investigation into the sudden rise of my fame started…
Facebook’s Paper uses DTCoreText
Shortly before the follower avalanche began Salavat KhanovÂ had sent me a screenshot of the acknowledgement screen in Facebook’s new Paper app mentioning DTCoreText. This component allows you to parse HTML and display it on your own terms without needing a web view.
Could that have been the reason?
Probably not, since this is a Facebook app and not connected with Twitter. Although – of course – I welcome the advertising for me by mighty Facebook.
At first glance I had suspected all those followers being accounts created by bots. Some certainly look like this, not having any avatar image, no followers or no tweets. A great deal of accounts seemed to have cyrillic names, causing me to consider a connection to the upcoming Olympics on Russian soil.
I was spinning conspiracy theories. Could this possibly be a preparation for a bot-driven offensive of tweets against the Games, Russia or president Putin?
But what possible gain would those alleged cyber terrorists have from tripling my follower count? The only one I could think of is that maybe they wanted to butter up my account in preparation to sending out tweets through this account. While writing this I realised that I should maybe change my password to prevent that.
Hm, 64 applications being able to access my account? So I went and revoked all but a few just to be safe.
Third-Party App Security Problem
Doing a search on Google revealed that every now and then somebody found that their Twitter account followed some people. In fact some of my followers related accounts of people experiencing the same problem.
Twitter’s advice on the matter is to change your password and revoke third-party access for all apps you don’t need anymore. And when people do this usually fixes the mysterious growth.Â But my follower avalanche proves that there is a much greater security problem inherent in the way how Twitter authorises third-party apps.
There are two levels of security for Twitter apps: basic and direct message. The higher security needs special approval and is only granted for Twitter clients. The lower security is able to do everything else, like follow people.
Apparently it is possible for nefarious forces to collect OAuth-tokens or hack third-party web apps such that they can collect the “keys” to thousands of Twitter user’s accounts. Then even if those keys are the basic security level they are able to have thousand accounts suddenly follow a specific account.
So you see, here is the irrefutable proof that it is technically possible to compromise a third-party web app and remote-control your Twitter account. One solution might be for Twitter to employ some heuristics to discover unusual activities with twitter accounts, but it doesn’t look like something like this exists at present. Another solution might be to have much finer-grained security levels.
One question remains unanswered:
I can think of three reasons why my professional account got targeted to be the unsuspecting recipient of such a windfall of followers.
- Somebody with access to my account planned nefarious things with it
- Extortion: “Nice follower count. Would be sad if something were to happen to it”
- A hacker/spammer made a mistake and intended to target another account
Of course I am happy to have a higher number of followers showing when somebody new checks out my Twitter profile. Certainly they will feel that I have more influence since so many people are following me. So this becomes a self-fulfilling prophecy.
Since the peak above 25k the number has begun to slowly drop as those people realise that they didn’t intent to follow me, wondering how are what did that on their behalf.Â I had come within arm’s reach of my idol Matt Gemmell (former iOS developer, now author) who sits at 27k followers.
I would be very pleased if I would remain above 10k because this is the next big round number above the 8600 I had before. I can understand the reasons why people would pay for getting tons of followers. The feeling is great. You feel powerful. Like you have more to say and more people are listening than ever before.
But I didn’t pay or will ever pay anything. This is what makes is such an amazing occurrence.
I tweeted to Twitter Support multiple times during the avalanche. They have yet to respond to my messages. I have a feeling that they never will because of the embarrassment such a gaping security hole might be causing them.