Recently, Twitter fulfilled a promise made by Elon Musk and published on GitHub the source code of its recommender algorithm, where a vulnerability was discovered that could send a user to a shadowban.
Numerous researchers immediately took up the study of the source code, and now one of the problems they discovered was assigned the CVE identifier. The vulnerability allows to achieve a “shadowban” of the victim, that is, someone else’s account will be hidden from others “without the right of recourse.”
Let me remind you that we also wrote that Elon Musk confirmed that the Russian offered a Tesla employee a million dollars for hacking the company, and also that CERT launched Twitter bot that comes up with names for vulnerabilities.
Also the media wrote that Hacker George “GeoHot” Hotz Will Be a Twitter Intern and Promises to Fix a Search.
The issue was discovered by Federico Andres Lois while investigating the recommendation engine that powers the For You section of Twitter. According to the study, the coordinated efforts of other users can lead to a “shadow ban” of any account that is unlikely to be overcome.
In order for the victim to receive large-scale reputation penalties, it is enough to unsubscribe from him, enable mute for this account, block it or report violations.
According to Lois, Twitter’s current recommendation algorithm “allows for coordinated, non-recourse damage to [any] account’s reputation.” This issue has already been assigned CVE-2023-23218.
It turns out that any accounts that have undergone mass blocking and unsubscribing will receive a “shadowban” and will not be displayed in the recommendations of other people, while the owner of the affected account will not even know about the restrictions imposed on him. At the same time, the researcher notes that it seems that it is simply impossible to fix such a ban.
Lois writes that apps like Block Party, which allow Twitter users to filter accounts in bulk, are essentially tools that (intentionally or not) have a similar effect on users.
Many Twitter users have already started talking about the fact that the error can be used by numerous armies of bots on the platform. When a Twitter user suggested that Musk solve the problem by only allowing mute, blocking, and reporting for “blue tick” Twitter users, Musk replied that he wanted to know “who is behind these botnets”.
However, that would require Twitter to have a team of moderators, and they appear to have been fired en masse, along with other staff, when Musk took over the company last November.
Another obvious solution to the problem would be to use the entropy of time for negative signals, but according to Lois, the design of Twitter’s recommender algorithm makes it easy to overcome this. For example, by repeatedly following/unsubscribing from specific accounts every 90 days.