Categories
(Anti-)Social Media

Security Research on Twitter: Before and After Musk’s Takeover

I got banned for criticizing Twitter’s security, as I’ve done often in the past without repercussion.

This is going to be a bit less polished than my usual writing, because I’m hammering it out before a busy day at work.

My Twitter account was suspended last night, around the same time that a wave of prominent journalists being suspended for criticizing Elon Musk.

My account suspension was a bit less egregious than how journalists were treated, but it’s still remarkable because I have several comparable data points from before Musks’s takeover.

Why Did @SoatokDhole Get Suspended?

It’s important to emphasize, for background, that Elon Musk claims to be a “Free Speech” absolutist.

Yesterday, Musk banned the @ElonJet Twitter account, after explicitly promising not to. So much for free speech.

But his team took it a step further: They also blocked Twitter users from linking to the @ElonJet account on Mastodon.

They also banned the @joinmastodon account, shortly before adding the filter. Twitter’s going great, really!

Elon’s remaining Twitter staff apparently didn’t include any security experts, because it’s completely trivial to bypass their rule that prohibits posting a link to ElonJet on Mastodon:

  • Capitalize any letter in the URL
  • Append a query string (i.e. ?t=1)
Facepaw
Art: CMYKat

Naturally, I pointed this out. And when I woke up the next morning, my account had been suspended.

Security Research Before the Age of Ruin

Being suspended by Twitter isn’t exactly a remarkable feat. It surely isn’t, by itself, worthy of blogging about.

What is more interesting, however, is I have a history of criticizing Twitter’s security.

  1. My first real blog post here was about how, in April 2020, you could bypass Twitter’s client-side validation to make your Gender field hold a megabyte of data.

    This was publicly disclosed and widely exploited by trans people in protest of being misgendered by Twitter’s automation.

    No account suspension.
  2. I was a loud critic of the Birdwatch feature when it was first announced. I even tracked down the employees that worked on Birdwatch and sent them DMs to notify them of my critique.

    No account suspension.
  3. I’ve been a loud critic of Twitter features that use dark patterns to be user-hostile, such as Twitter Spaces. In fact, my article on how to remove Twitter Spaces was a top search result for relevant queries ever since I wrote it.

    No account suspension.

But criticizing their failed attempts to block people from posting a link to ElonJet? Banned.

Twitter’s Remaining Security Team

My interpretation of this shift in response to security researcher criticism is that Elon Musk is an absolute pissbaby and the remaining Twitter employees are sycophants and/or afraid of another Musk tantrum.

Takeaways

As predicted, Twitter has gone to shit. It’s only going to get worse from here.

You can find me on Mastodon at @soatok@furry.engineer.

I don’t intend to rejoin Twitter, even if my suspension is reversed.

Epilogue

Shortly after I published this blog post, Twitter’s UI updated to inform me that my account suspension is permanent.

Rest in piss, Muskrat.

Update (2022-12-18)

Apparently permanent doesn’t mean what I thought it does, in this age of newspeak.

My appeal, for the record, was a link to this blog post with the accompanying text, “Your boss needs to get over himself”.

Twitter responded is a predictably stupid manner:

Hello, We’re writing to let you know that your account features will remain limited for the allotted time for violating the Twitter Terms of Service, specifically the Twitter Rules against posting another person’s private and confidential information. Violations of of this policy may include: publishing people’s private information without consent; threatening to hack Twitter or other platforms in order to obtain someone's private information; and/or posting intimate photos or videos taken or distributed without the subject's consent. Please note that continued abusive behavior may lead to the suspension of your account. To avoid having your account suspended, please only post content that abides by the Twitter Rules. You can learn more about our rules against posting another person’s private and confidential information. Thanks, Twitter

What’s funny about this is:

  1. I didn’t post anyone’s private information, full stop.
  2. I didn’t threaten to hack anything. I did imply that competent security professionals wouldn’t have implemented a filter as badly as Elon Musk’s Twitter did. But that’s not threatening to hack anything.
  3. I haven’t posted any photos or videos. You can see the tweet they flagged has no media attached to it.

The only reasonable way to interpret what I did as posting “private information” is to assume that “Elon Musk is a fucking idiot” is some sort of trade secret.

Which it is obviously isn’t.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

3 replies on “Security Research on Twitter: Before and After Musk’s Takeover”

Elon truly really is an incredibly pathetic, weak willed insecure man and his team must be filled with yes men that will just try to please whatever insane horrible idea he has instead of getting fired for telling him he is a dipshit

Sometimes I wonder what Elon Musk is doing? He is a smart individual but lately he is losing the plot.

He has became the “Twit” like Mr Twit from Roald Dahls children novel. The scene where Mr Twit thinks the world is upside down so does the handstand to rectify the situation.

Poor Elon, what comes up must come down..if he keeps continue with idiocy.

Please keep writing your articles and blogs, its always a pleasure to read them.

Thank you

Dan

Bark My Way

This site uses Akismet to reduce spam. Learn how your comment data is processed.