Twitter’s recommendation algorithm opens platform to manipulation, bot attacks, researcher finds

Twitter's source code apparently revealed how it's possible to game the company's software to reduce access to specific accounts.
Tesla CEO Elon Musk smiles as he addresses guests at the Offshore Northern Seas 2022 (ONS) meeting in Stavanger, Norway on August 29, 2022. (Photo by CARINA JOHANSEN/NTB/AFP via Getty Images)

Just three days after Twitter released a portion of its source code online that included the app’s recommendation algorithm, a security researcher found that attackers could manipulate the software to effectively silence specific accounts on the social media platform.

An Argentine developer flagged the issue on the software hosting service GitHub on April 1 after Twitter made the code public in a pair of repositories on the site. “The current implementation allows for coordinated hurting of account reputation without recourse,” the developer wrote.

As a result, the nonprofit Mitre Corporation assigned portions of Twitter’s code a common vulnerabilities and exposure, or CVE, designation based on the way attackers could target specific accounts to diminish their exposure on the platform. It’s not clear who submitted the CVE to the Mitre database, and the company would not identify whoever submitted it for review, per company policy.

The CVE, which is a designation that the information security community uses to identify and track publicly disclosed software flaws, notes that Twitter’s current recommendation algorithm “allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023.”


On the same day the Argentine developer flagged the issue, a Twitter user by the name of “el gato malo” pointed out essentially the same issue, noting that “this is how the botnet/activist armies are crushing accounts.” The user tagged Twitter owner Elon Musk with a suggestion that only “blue check mutes/blocks/reports” should count. Musk replied, asking who was behind the botnets. “Million dollar bounty if convicted,” Musk wrote, although it’s not clear what “convicted” means in this context.

Twitter has disbanded its press team and immediately responded to a request for comment about the CVE and algorithm issue with: “💩”.

In an unsigned blog posted to the company’s website last week, Twitter said releasing the code was “the first step in a new era of transparency,” and that as “the town square of the internet, we’re ultimately doing this to foster transparency and build trust with our users, customers, and the general public.”

Musk later said in a Twitter Spaces session that the release “is going to be quite embarrassing, and people are going to fine a lot of mistakes, but we’re going to fix them very quickly,” according to TechCrunch. He added that the company is “aspiring to the great example of Linux as an open source operating system,” where exploits could be found but “the community identifies and fixes those exploits.”

There are nearly 650 CVEs that mention some kind of algorithm in the National Institute of Standards and Technology database that mirrors the CVE database operated and maintained by the Mitre Corporation. Social media-related CVEs have been assigned in the past, a Mitre representative told CyberScoop Tuesday, including CVE-2022-46405 and CVE-2022-48364, which both have to do with the Mastodon service.


Updated, April 4, 2023: This story has been updated with information from Mitre Corporation regarding previous social media-related CVEs and its privacy policy.

Latest Podcasts