Twitter Bug Notifies People When They Get Added to ‘Private’ Lists

A strange bug allows some people who get added to a “private” list to know they are on that list.
December 13, 2019, 8:45pm
8066760004_00a5f6f96a_o
IMAGE: NAN PALMERO/WIKIMEDIA CREATIVE COMMONS

On Friday, Caroline Haskins got an unexpected notification on her Twitter account.

“Morgan Culbertson added you to list Haters,” the notification read.

Haskins, a journalist at BuzzFeed News (and formerly of Motherboard), posted a screenshot of the notification.

“Lmaoooooooooo,” she tweeted.

Haskins was laughing because Culbertson is the public relations coordinator for Amazon’s camera surveillance company Ring, a company Haskins has gradually dismantled in the last year, with a seemingly endless series of scoops and deeply reported investigations.

As it turns out, Haskins may have found out she was added to the list because of an embarrassing Twitter bug. As of Friday afternoon, when a user created a Private list and added people on it, sometimes, the people who got added to the list would get a notification that they were added to the list.

Motherboard verified this bug by creating a private list and adding three people on it. One of them, gamer Emanuel Maiberg, got notified.

Strangely, other people who were added on the test list did not get a notification. When Maiberg clicked on the notification, he only saw a blank interface with a spinning loading wheel. So, even the bug has a bug, it appears.

On its Help Center, Twitter explains that a private list is “only accessible to you.”

Twitter did not immediately respond to a request for comment.

Security researcher Kenn White alerted Motherboard of the bug.

“It's a pretty troubling privacy leak. Easy to envision scenarios where this could lead to bullying or harassment,” White said. “I do think it's easy to make the mistake of underestimating the complexity of a system on this scale. The software logic behind real time notification queuing of billions of messages per minute can be staggering in scope. That said, when these sort of privacy leaks are discovered, it's important to resolve them as quickly as possible.”

UPDATE, 12/16/2019, 4:27 p.m. ET: Twitter said in an email that "this was a bug and has since been resolved."

A previous version of this story misquoted Haskins' tweet. She wrote "lmaoooooooooo," not "lmao." We regret the error.