The first signs of a presidential transition to stronger cybersecurity aren’t great. A hacker claims he figured out email addresses likely associated with President Donald Trump, his wife, the vice president and a top adviser.
The findings come entirely from open-source research, a bit of guessing and the apparent overlooking of a critical security feature in Twitter, according to a series of tweets from the hacker as well as via CNN, which corresponded with him.
“Trump’s heavy use of Twitter to promote his thoughts and agenda means that an account takeover could have immediate and dangerous national security repercussions.”
Someone going by the nickname WauchulaGhost posted a message with President’s Trump handle on Jan. 20: “Hey @POTUS Looks like someone hacked your account.” He copied the message to Trump’s @realDonaldTrump account.
WauchulaGhost has garnered media coverage in the past for his takeover of ISIS-related Twitter accounts. A short time after his first Jan. 20 tweet, WauchulaGhost posted a screenshot of Trump’s account in which Twitter displayed redacted bits of Trump’s phone number and two email addresses.
“Hey @POTUS,” WauchulaGhost wrote. “On a serious note. Let’s fix your Security settings. Should I email you?”
— WauchulaGhost (@WauchulaGhost) January 21, 2017
Twitter: Real-Time and Dangerous
Trump has relied heavily on Twitter to promote his thoughts and agenda. It has proven to be a sharp spear that generates constant media coverage without the burden of answering direct questions. On the campaign trail, he mercilessly used Twitter to skewer opponents.
Trump’s heavy use of Twitter to promote his thoughts and agenda means that an account takeover could have immediate and dangerous national security repercussions.
Former President Ronald Reagan famously triggered a crisis after he joked near a microphone prior to a speech that bombing of the Soviet Union would begin in five minutes. Although his statement was not broadcast live and the incident only became public the next day, it nonetheless provoked outrage from the Soviet Union.
But someone taking over the president’s Twitter account could provoke a fast-moving, real-time crisis far worse than Reagan’s gaffe.
Dangers of Redaction
The issue highlighted by WauchulaGhost involves Twitter’s password-reset feature for accounts. Password resets remain a vexing issue for service providers, who don’t want to make the process too onerous, to prevent people from abandoning their accounts. But it’s hard to keep such resets secure.
In Twitter’s case, if someone hits the password-reset button, by default it returns a sample of redacted personal information, such as an email address or a phone number.
Although most details will be obscured by X’s, a few characters and numbers remain, which are a loose thread.
WauchulaGhost pulled the thread on Trump’s POTUS account. He posted a screenshot showing the last two digits of the phone number he supplied to Twitter plus redacted versions of two email addresses.
But email addresses, often created in haste, are not hard to guess.
Indeed, WauchulaGhost ran the same experiment for the accounts of Vice President Mike Pence, Trump’s wife, Melania, and Dan Scavino Jr., who is Trump’s director of social media. According to CNN, WauchulaGhost thinks he identified the corresponding email addresses for those accounts, although it’s not clear if the email addresses he guessed are accurate.
Door to Spear Phishing Opens
The threat is that anyone who can identify the email address tied to a Twitter account could then launch cyberattacks, ranging from phishing to social engineering. Crafting an email that looks like it comes from a known contact – but which contains a malicious link or a malware-laced attachment – could also be used to fully compromise a victim’s system.
That is essentially the fate that befell the Democratic Party, which the U.S. intelligence community said was targeted by Russian hackers. Security companies believe the hackers used bogus login pages to trick victims into sharing their log-in credentials, which eventually gave attackers access to the network of the Democratic National Committee, among others.
One Essential Twitter Security Setting
But there’s an easy defense to the vulnerability identified by WauchulaGhost: Twitter has a setting that requires an account holder to enter his or her own personal information in order to trigger a password reset. If enabled, Twitter does not display any redacted information.
Thankfully, this potential vulnerability doesn’t appear to have been exploited. After CNN’s story ran, WauchulaGhost tweeted, “Moral of the story is, the President should have better security. Maybe they will fix it now.”
A related, crowdsourced effort is already underway, with security experts such as Mikko Hypponen, chief research office at Finland-based security firm F-Secure, offering guidance – appropriately enough – via Twitter.
Hello Mr. President!
The setting you’re looking for is Security&Privacy / Password Reset / Require Personal Information To Reset My Password https://t.co/XMY4XkmSui
— Mikko Hypponen