9to5Mac Security Bite is exclusively brought to you by Mosyle, the only Apple Unified Platform. Making Apple devices work-ready and enterprise-safe is all we do. Our unique integrated approach to management and security combines state-of-the-art Apple-specific security solutions for fully automated Hardening & Compliance, Next Generation EDR, AI-powered Zero Trust, and exclusive Privilege Management with the most powerful and modern Apple MDM on the market. The result is a totally automated Apple Unified Platform currently trusted by over 45,000 organizations to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.
Amid the heap of an EU fine levied on X earlier this month, Elon Musk announced that the platform’s entire recommendation algorithm would go open source. Seemingly to help cool the regulatory waters by providing greater transparency into how the social media giant organizes users’ timelines.
Usually, IT professionals would see news around something going open source, smile, and move on with their lives. But last week, I came across an interesting thread on none other than X that explains how this move can actually expose anonymous alt accounts through “behavioral fingerprints”…for better or worse.
An OSINT aficionado under the handle @Harrris0n on X recently posted about his findings while digging through the platform’s now-open-source recommendation code. What he found is a bit terrifying if you care about privacy or if you operate an entire network of bot accounts.
Buried in X’s repo was something called the “User Action Sequence.”
This isn’t a mere log either. It’s a transformer context that encodes your entire behavioral history on the platform. It tracks the specific milliseconds you pause to scroll, the type of accounts that trigger a block, the specific flavor of content you’re into, and the exact moment you interact with it. It represents thousands of individual data points collected by the time you see your first cat post.
Now, here’s where it gets fascinating. X uses this sequence to predict engagement (basically serving the most relevant content to keep you on the platform), while simultaneously creating a high-fidelity behavioral fingerprint.
Harrison found that if you run this encoding on a known account and then compare it against thousands of anonymous accounts using something the repo calls “Candidate Isolation,” you get matches. Abnormally high matches. He even laid out the specific recipe needed to build this de-anonymization tool, and the barrier to entry here is very low.
According to his thread, all someone needs is the action sequence encoder (which the X repo just handed over), an embedding similarity search, and a little bit of luck (lol). The only missing piece for most people is the training data of confirmed alt accounts, but Harrison notes he already has that from years of threat actor tracking.
Theoretically, you can map that same behavioral fingerprint from a public X user to an anonymous one, or potentially even cross-platform to accounts on Reddit and Discord. It goes to show that you can easily change your username, but it’s much harder to change your habits.
So, is a burner account truly anonymous? I’ll let you decide.
I wanted to share this thread here on Security Bite because it’s a sobering reminder that these algorithms often know you better than you know yourself. And that digital version of you is still vulnerable.
Subscribe to the 9to5Mac Security Bite podcast for biweekly deep dives and interviews with leading Apple security researchers and experts:
FTC: We use income earning auto affiliate links. More.
