Interesting Twitter Hashbang Bug


Did you know that you can to link to a specific Tweet on Twitter? The URL looks like this:
https://twitter.com/#!/edent/status/197967209459499008

Pretty obviously, that's the user's name and the ID of their tweet. Simple, right?

Not really, click on that link and you'll see this:
twitter bug screenshot
That's my name in the URL bar - but the Number 10 Press Office's tweet on the page.

What's Going On?

Have I retweeted that status? Nope!
Am I a 1337 h4x0r who has hacked Number 10? No sir!
Is the screenshot a fake? Nuh-uh. Check the link yourself.

It's actually a curious bug / feature of Twitter. Each tweet you send has a unique ID. So there can only be one tweet with the ID 197967209459499008. And that ID will always belong to @Number10press.

The username part in the URL is redundant. It seems that it is not used except to give information to the user / search engines. It can be safely omitted or manipulated.

Malicious Use?

It strikes me that there is a slim chance of malicious use.

One could create a fake account - say Number1Opress (where the 0 has been replaced with a capital O). Make it tweet something ridiculous, then share a URL which has the real Number10press in the URL. Minor embarrassment is probably the worst consequence.

It's an interesting usability / security nexus. The username is placed in the URL to make it easier or more useful for users - but it is ignored by the back end system. As it's part of the hated hashbang syntax, I wonder if it could be simply be rewritten if there's a mismatch?


Share this post on…

7 thoughts on “Interesting Twitter Hashbang Bug”

  1. In theory at least, you could be more sinister with this, for example if you used say a ll0ydsbank or 02 account in conjunction with this to issue an urgent message to users asking them to reset their security details etc.

    Given that would still be possible if the user was redirected to the real url for that tweet, I think it would be better (and fairly easy?) for Twitter to give a 404 if the name in the url didn't match the account the tweet was sent from?

    Reply
    1. Breton Slivka says:

      Not being able to give a 404 status code is one of the consequences of their boneheaded move to use hashbang urls.

      Reply
    1. Indeed, there was a news website (Daily Mail?) which did that. Of course, people abused to to say "Yeah, the headlines says X, but the URL says Y".

      Reply
    2. Yes, but it's generally only used to add information that doesn't have any particular impact on the end user. For example, with product names, post titles etc people would expect it to generally be some sort of abbreviated version and there isn't much issue if it doesn't match what's served on the page.

      The problem here is that to a user the URL indicates the identity of the @author and they may not notice that the @author is slightly different when they view the tweet itself which has (theoretical, at least) security and privacy implications. Particularly if exploited in such a way as to encourage a user to follow a link (or open an image or other content) that they might not follow if they did not believe it had come from a trusted user.

      Reply
  2. I imagine it's likely used for tracking what links / tweets you were the originator of sharing?

    Perhaps in the future you coud have fun with that by associating certain content with people's Twitter account names. Not sure what affect it would have though. 🙂

    Reply

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">