For the last two days, Elon Musk has claimed that Twitter is under attack from “several hundred organizations” who were conducting “EXTREME levels of data scraping,” forcing them to bring “large numbers of servers online on an emergency basis” and enact emergency measures.
Yesterday, Twitter started blocking all logged-out access to Twitter, requiring signing in to view any tweet or profile. Elon Musk called it a “temporary emergency measure,” claiming they “were getting data pillaged so much that it was degrading service for normal users!”
Apparently, it didn’t stop the crush of traffic and, this morning, Musk announced they escalated their actions against supposed “extreme levels of data scraping” by rate-limiting the number of tweets you can view.
Immediately, Twitter users started seeing “Rate Limit Exceeded” messages and every trending topic was about the collapse of Twitter:
Are shadowy AI companies scraping Twitter for training data? Maybe!
But on Mastodon this morning, web developer Sheldon Chang noticed another source of unusual traffic: a bug in Twitter’s web app that is constantly sending requests to Twitter in an infinite loop:
This is hilarious. It appears that Twitter is DDOSing itself.
The Twitter home feed’s been down for most of this morning. Even though nothing loads, the Twitter website never stops trying and trying.
In the first video, notice the error message that I’m being rate limited. Then notice the jiggling scrollbar on the right.
The second video shows why it’s jiggling. Twitter is firing off about 10 requests a second to itself to try and fetch content that never arrives because Elon’s latest genius innovation is to block people from being able to read Twitter without logging in.
This likely created some hellish conditions that the engineers never envisioned and so we get this comedy of errors resulting in the most epic of self-owns, the self-DDOS.
Unbelievable. It’s amateur hour.
He posted a video of the bug in action, sending hundreds of requests a minute.
On Twitter, software engineer Nelson Minar independently reproduced the bug with his own video capture.
It’s currently unclear when this bug went into production, or how much it’s actually impacting their traffic, so it’s hard to determine whether this bug inadvertently inspired Twitter to block unregistered access and add rate limits, or if the bug was triggered by the rollout of those changes.
On Bluesky, Twitter’s former head of trust and safety Yoel Roth wrote, “For anyone keeping track, this isn’t even the first time they’ve completely broken the site by bumbling around in the rate limiter. There’s a reason the limiter was one of the most locked down internal tools. Futzing around with rate limits is probably the easiest way to break Twitter.”
Sheldon suspects the bug was related to yesterday’s decision to block unregistered users from accessing Twitter, but in a followup, wrote that it’s “probably not the cause of their scraping panic and most of these requests are being blocked.”
It seems very likely that killing free access to the Twitter API led to a big increase in scraping, since countless businesses, organizations, and individuals used it for their projects. It’s also plausible that these issues are entirely unrelated.
If you know more, leave a comment or get in touch. Confidentiality guaranteed.