Twitter shows that in-band data still considered dangerous

Around 20 years ago, I was using a bulletin board system running the Major BBS software.

One of the primary features was group chat, which was still very novel back in the day. Whatever you typed appeared on the screen to everyone else, modulo some swearing filters, which just seem quaint today. There were no control keys; you skipped from forum to forum by typing certain commands, like "join <topic>", or "x" to exit the chat and go to some other function of the BBS. It was considered a fine jape to ask the crowd, "hey, what is the roman numeral for 10?" and watch people who typed in their answer disappear.

One command in particular was "POST <username>". This would change the status of the given username from whatever it currently was ("paid", "expired", or "guest") to a special user status that could log in only for a limited amount of time but had unlimited posting privileges in that period of time.

The existance of this command was kept secret among the admin and a few trusted wizards. Until one evening someone typo'd the command. Another user tried it and found what happened, and spread the word.

For a few hours complete chaos reigned. People would log in, and within a minute find that someone had POSTed them into the new status. For most users it was a downgrade, but for new users and guests it was an upgrade. New accounts were made on the spot because anyone could instantly upgrade them.

The admins had to restore from a back up a few days ago, which was one of the first lessons I ever received on the importance of backing up your data.

This all happened because, among other problems, the code was using in-band data to determine special actions. The users didn't need to pull up a special menu to do these commands.

There was similar things with "+++" and "CONNECTION LOST" in the days of modems.

Proving that there is nothing new under the sun, Twitter apparently uses some in-band forms of control. Typing "accept joeuser" makes joeuser follow you. Hopefully Twitter has backups they can restore from to undo all of this.

There are probably other control words you can use in your twitter feed. Right now I expect someone is sending a dictionary through a Twitter feed and watching to see what magic happens. The next few days should be interesting, unless Twitter is shutting all those commands down now.

I understand the deep-placed desire for an elegant control mechanism, and just being able to type commands right into Twitter must have seemed really cool. But the vulnerabilities of in-band data have been around for a long time (including touch-tone phones), and will continue until we all finally learn the lesson.