Application security

Twitter goes after Baby Peanut, API threat

Two organizations attempted to manipulate Twitter to their benefit over the last few months, one was potentially a nation-sponsored actor. The other was a peanut by comparison.

The more serious case was revealed by Twitter on February 3 when it reported it had shut down an attempt by a possible nation-state actor to exploit an API and match usernames to phone numbers.

The second involved an attempt by the social media operators behind Planter’s Peanuts to make the resurrection of Mr. Peanut, shown in a Super Bowl commercial with the birth of Baby Peanut, go viral.

In the first case, Twitter noticed the API manipulation on Dec. 24, 2019. At this time someone began using a large number of fake Twitter accounts to exploit a feature in the site’s API that enables users to be matched to phone numbers registered to specific accounts. This was created to help new users find acquaintances on Twitter by using their phone number.

By abusing this feature, the malicious actors could send out requests using phone numbers obtained in legal or illegal manner and then grab the account names for any matches. Those without this setting enabled or who do not have a phone number associated with their account were not impacted.

“After our investigation, we immediately made a number of changes to this endpoint so that it could no longer return specific account names in response to queries. Additionally, we suspended any account we believe to have been exploiting this endpoint,” Twitter said.

Twitter’s investigation found the fake accounts being used were from a wide range of countries but observed a particularly high volume of requests coming from individual IP addresses located within Iran, Israel, and Malaysia.

This could indicate the IP addresses have ties to state-level-sponsored actors. All were immediately suspended.

The API endpoint has been changed so it no longer returns specific names in response to this query.

More recently, Twitter suspended three accounts owned by Planters, a subsidiary of the Kraft Heinz Food Company, that began retweeting memes in conjunction with the commercial announcing the birth of Baby Peanut in an attempt to make the story go viral, reported Business Insider.

Because the retweeted memes were part of a coordinated promotional effort they may have violated Twitter’s policy on this issue which states “You may not use Twitter’s services in a manner intended to artificially amplify or suppress information or engage in behavior that manipulates or disrupts people’s experience on Twitter.”

Business Insider cited Kraft Heinz as saying, “As we prepared to launch Baby Nut, we knew our fans would want as much content as they could get. After consulting with Twitter, we launched three meme-sharing accounts (BabyNutBaby, @BabyNutMemes and @BabyNutLOL) in a fashion we believed was compliant with its terms of service.”

In the end, the company decided to not rub any salt in the wound and accepted the decision.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.