Humor Software Security Vulnerability

Why Server-Side Input Validation Matters

Update (2020-04-29): Twitter has fixed their oversight.

    "errors": [{
        "code": 356,
        "message": "preferences.gender_preferences.gender_override: Must provide a non-empty custom value 30 characters or less in length."

Anyone who set their custom gender to a long volume of text, should still have it set to a long volume of text.

The original article follows after the separator.

I was recently made aware of a change to Twitter, which exposes a new Gender field. If you’ve never specified your gender before, they guessed what it was (which is a really shitty thing to do, especially towards trans folks!).

Slightly annoyed, I went to go see what Twitter thinks my gender is.

Curses! They know I’m a guy. This won’t do at all.

Soatok angrily grasping computer monitor

But what’s this? An “Add your gender” option?

That’s at least, something, I guess? Defaulting to [whatever the algorithm guesses] is sucky, but at least nonbinary folks can still self-identify however they want.

But 30 characters isn’t a lot. What if I want to drop in, say, 68 characters? Do I need to do some crazy Unicode fuckery to pull that off?

Nope, Inspect Element + set maxlength="255" and now Twitter thinks my gender is the EICAR test file. Wonderful!

Which means: If someone downloads my Twitter data without my consent onto a workstation running antivirus software, the file will delete itself and all will be right in the marketing world.

(Okay but seriously, a lot of downstream systemic failures would have to exist for any damage to occur from me deciding to self-identify to marketers this way.)

Lessons to Learn

Twitter enforced a maxlength of 30 in the HTML element of the “Add your gender” text input, but they didn’t enforce this requirement server-side. The takeaway here is pretty obvious.

Also, don’t try to automatically guess people’s gender at scale. It’s insulting when you get it wrong, and it’s creepy when you get it right.

(This sticker is tongue-in-cheek.)

What’s the Upper Limit for the Field?

I don’t know, but this indicates it has a larger upper bound than a tweet.

If anyone has success dropping an entire thesis on gender identity and culture in the Gender field, let me know.

Update: The Best Genders

Everyone is having a lot of fun with the Gender field. Here’s some of the best tweets I’ve seen since publishing this stupid bug.


You knew it would happen.

A fox in Furry Technologists suggested building genderfs, which is a lot like redditfs but hoists the entire filesystem into the Gender field.

While I have your attention, trans rights are human rights and biology disagrees with the simple notion of “two sexes”. Thank you and good night.

By Soatok

Security engineer with a fursona. Ask me about dholes or Diffie-Hellman!

5 replies on “Why Server-Side Input Validation Matters”

Bark My Way

This site uses Akismet to reduce spam. Learn how your comment data is processed.