2 min read

Twitter 'Shadow Ban' Flaw Receives Official CVE Number


April 07, 2023

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Twitter 'Shadow Ban' Flaw Receives Official CVE Number

In a striking development, cybersecurity researcher Federico Andres Lois has identified a critical bug in Twitter's source code that could let threat actors manipulate the platform's algorithm and suppress posts from appearing on users' feeds.

The flaw, dubbed the "Shadow Ban" bug, has been assigned a CVE (Common Vulnerabilities and Exposures) number to highlight its significance, and is now tracked as CVE-2023-29218.

Its full description reads: "The Twitter Recommendation Algorithm through ec83d01 allows attackers to cause a denial of service (reduction of reputation score) by arranging for multiple Twitter accounts to coordinate negative signals regarding a target account, such as unfollowing, muting, blocking, and reporting, as exploited in the wild in March and April 2023."

This bug came to light after Twitter published its source code on GitHub as a transparency measure, intending to build trust within the community. Unexpectedly, the move exposed a critical vulnerability in the platform's algorithm.

"The current implementation allows for coordinated hurting of account reputation without recourse," reads Lois’ security advisory. "The most general behavior is that global penalties are prone to be gamed (all of them). In other time I would just report this information using a vulnerability channel, but given that this is already popular knowledge there is no use to do so."

The "Shadow Ban" bug enables malicious actors to harness a large number of user accounts, often bot-generated, to essentially "gag" any user of their choosing, effectively silencing them on the platform. By suppressing the visibility of specific tweets or accounts, these threat actors can manipulate the flow of information on Twitter to serve their own malicious purposes.

In response to the discovery, Tesla, SpaceX, and Twitter CEO Elon Musk tweeted a cryptic response, offering a hefty bounty for the conviction of the ones responsible for the botnets. His somewhat puzzling tweet, "Who is behind these botnets? Million dollar bounty if convicted," has sparked considerable buzz within the community.

The unearthing of the “shadow ban” bug raised a few concerns about the integrity of Twitter's algorithm and the potential consequences of releasing source code for public scrutiny.

While the company's commitment to transparency is commendable, the incident is a stark reminder of the risks of leaking source code and the importance of robust cybersecurity.




Vlad's love for technology and writing created rich soil for his interest in cybersecurity to sprout into a full-on passion. Before becoming a Security Analyst, he covered tech and security topics.

View all posts

You might also like