Skip to content

Sending “promoted” tweets as a notification to followers without paying anything

November 3, 2014

Edit: After I wrote this post, I found out this link – http://www.cnet.com/news/twitter-bug-makes-users-fear-invasion-of-push-notification-ads/

In that link, you will notice that Dick Costolo (CEO of Twitter) claims that “We don’t send ads via push notification. Will look into it.” This is dated way back in Sep’13.

So, after a year, they are still doing that, aren’t they?

I also wanted to clarify that even though this is only aimed towards followers (I haven’t tested against people who are not followers), it is still an ad/promotion being actively sent out as a push notification. That doesn’t happen for normal tweets. Followers don’t get notified actively when somebody tweets. Same thing with promoted tweets. It just shows up on the follower’s timeline. But, this is not the case here. The promoted tweet that I mention below doesn’t appear as a regular tweet on the timeline.

—————

I recently discovered an interesting quirk on Twitter. Sadly, it is a Won’t Fix. I have requested public disclosure so it probably will go live soon. The HackerOne report number is #31073. But, below is what was reported in the meantime:

It was observed that I could promote ads on twitter without paying anything for them.

Steps to Reproduce:

  • Sign up for a twitter account and enable Ads & Analytics on your profile. For the sake of PoC, this is abtest66.
  • Create a campaign. The one that I did was “Website clicks or conversions” “Targeting interests and users”. I chose all locations and for targeting, I chose the following:
    • Added two of my own accounts (abtest67, anshuman_bh)
    • Targeted all my followers
    • Targeted users like my followers
  • Don’t select any promoted tweets as of now. Go ahead and launch the campaign. You will be taken to the payments page. Ignore that and navigate to the Campaign Dashboard. Notice that the Campaign shows as running.
  • Now, edit this campaign and under the Creative section, add a few promoted tweets. I added 6. Notice that inspite of not having any payment setup, the user is allowed to add promoted tweets. I think this is the main problem here.

The result was that in my account anshuman_bh (one of my targets of the above campaign), I got a notification of this promoted tweet. See Screenshots 1 (notification of the promoted tweet) and 2 (the actual promoted tweet when clicked on the notification).

1

Screenshot 1

2

Screenshot 2

Also, under abtest66’s Analytics Dashboard -> Promoted section, I did see some data. See Screenshots 3 and 4. I believe this shouldn’t have happened either.

3

Screenshot 3

4

Screenshot 4

Hope this helps!

Twitter folks were not able to reproduce following the steps above so I had to send a better Steps to Reproduce along with a video so here it goes:

I have tried reproducing it again and it works. Here are the steps.

  • Create a test account – @A1
  • Follow @A1 from another account @A2
  • Now, enable Ads and Analytics for @A1
  • For @A1, create a new campaign -> Promoted Tweets
    The URL will look likehttps://ads.twitter.com/accounts/<redacted>/campaigns/new_promoted_tweets?source=objective_picker
  • Enter the Campaign Name, choose Start immediately, target interests and followers.
  • Add @A2 as a target. Also check the box “Also target your followers”.
  • Choose Show ads in all available locations
  • Add a promoted tweet.
  • Set daily max 4.00 and max bid per engagement as 2.00
  • Click on save campaign -> Launch Campaign
  • Notice that @A1 is redirected to a payments page. Ignore the payments page
  • Navigate to https://ads.twitter.com/accounts/. Notice the campaign shows running but technicallyits not.
  • Now, go back to @A1‘s twitter homepage and tweet something.
  • Notice @A2 gets a notification (on his mobile phone for example) saying @A1 just tweeted for the first time. Welcome @A1 to Twitter!
    When clicked on that notification, it takes @A2 to the first tweet from @A1This is as expected. This tweet is also visible on @A1‘s timeline since it is an actual tweet.
  • Now, go back to the Campaign created by @A1 and click Edit.
  • Under tweets, add one more promoted tweet lets say test1
  • Notice @A2 gets the same notification again saying @A1 just tweeted for the first time. Welcome@A1 to Twitter!When clicked on that notification, it now takes @A2 to the promoted tweet from @A1 test1This is not as expected. This tweet does not appear on @A1‘s timeline either. It is a promoted tweet which shouldn’t have been promoted.Basically, @A1 just promoted a tweet to one of his followers @A2 without running a campaign or paying anything.

    Btw, this activity is captured in the Dashboard so you get all those numbers as well.

Video link – https://www.dropbox.com/s/ftcle365fx6cbs8/Video%20Oct%2013%2C%209%2004%2003%20PM.mov?dl=0

 

This was finally triaged and I got an initial reply stating:

“Thank you for your report. We believe it may be a valid security issue and will investigate it further. It could take some time to find and update the root cause for an issue, so we thank you for your patience.

Thank you for helping keep Twitter secure!”

 

But, a few days later, they replied back saying:

“Hello again. After consulting with the security team and the relevant engineering team, we decided since it only affects notifications of first tweet, the impact is so low that we aren’t going to fix it. Thanks again for looking at Twitter security.”

 

And, then another clarification saying:

“Hi, please let me clarify. I should say that it only happens when it shows up via a notification (such as first tweet notification). You should only be able to get notifications sent to people who follow you. So in this case you’re “promoting” tweets to people who follow you, in which case you could just have tweeted. Anyway, please let me know if I’m missing something.”

 

To this, my final replies were:

“The first tweet notification should technically be sent to my followers only when I tweet for the first time. It does not get sent anytime after that. If I can leverage this behavior to send promoted tweets to all my followers as and when I wish, then I’d say I am abusing the platform and doing something that I am not technically supposed to do.

Not to mention, I get all the numbers in the Analytics Dashboard as well under Promoted tweets like who clicked, who retweeted, etc. I am getting all the impressions without paying anything. Isn’t this foiling the whole purpose for promoted tweets?

Yes, you could have just tweeted but when you tweet, your followers are not actively notified. It just appears in their timeline. In this case, the followers are being actively notified about it in the form of a notification. It is more like a promotion than just regular tweeting.”

 

“In the end, I’d say this really boils down to the business decision and risk acceptance. If you guys are okay with this behavior, I don’t have any problems. In that case, do you mind changing the status to “Won’t Fix”? Thanks!”

 

Cheers!

Anshuman

Advertisements

From → Security

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: