Twitter exploit let two pranksters post a 35,000-character tweet
Over the weekend, two German Twitter users successfully broke the existing character limit by sending a 35,000-character tweet. By formatting a message as a URL with extensive gibberish, they were able to absurdly pollute followers’ timelines. Twitter soon removed it, but for a moment, all the complaints about the length of 280-character tweets seemed insignificant in the face of such a monster.
User Timrasett paired up with another named HackneyYT to discover the exploit and tweet out the message. The original is gone now, but thanks to the power of the Internet Archive, you can see the colossus here in all its glory. While the text looks like nonsense, buried inside are URL codifiers (notably a ‘.cc’ tucked within), as Twitter user hexwaxwing pointed out:
If you’re wondering how twitter[.]com/Timrasett/status/926903967027785728 works:
[27024-char domain name].cc/[3244-char directory name] pic.twitter.com/vG26Jvz27F
— waxwing:(): &;: (@hexwaxwing) November 4, 2017
Twitter temporarily banned the two users responsible, though their accounts are back online (after thanking Twitter and apologizing for crashing the site). Judging by HackneyYT’s post-ban tweet, both will continue to poke around looking for bugs on the social platform. When reached for comment, a Twitter spokesperson confirmed that the exploit has been fixed and pointed to its rules, specifically:
To promote a stable and secure environment on Twitter, you may not do, or attempt to do, any of the following while accessing or using Twitter:
- Access, tamper with, or use non-public areas of Twitter, Twitter’s computer systems, or the technical delivery systems of Twitter’s providers (except as expressly permitted by the Twitter Bug Bounty program).
- Probe, scan, or test the vulnerability of any system or network, or breach or circumvent any security or authentication measures (except as expressly permitted by the Twitter Bug Bounty program).
- Interfere with or disrupt the access of any user, host or network, including, without limitation, sending a virus, overloading, flooding, spamming, mail-bombing Twitter’s services, or by scripting the creation of content in such a manner as to interfere with or create an undue burden on Twitter