Hacker to Trump: Fix your security settings on Twitter
January 29, 2017 11:42 AM NPT
According to a man who identifies himself online as WauchulaGhost, the president, vice president, and first lady are more vulnerable to hackers because of a basic Twitter security setting they're not using.
WauchulaGhost contacted me about these insecurities on Saturday. I spent the last three days trying to reach the White House for their response to WauchulaGhost's claims. I sent multiple emails, including several directly to Dan Scavino, Donald Trump's head of social media.
On Monday night, WauchulaGhost made it more public, tweeting the emails associated with the accounts and the message: "Change your emails & Fix Settings."
In June, WauchulaGhost made headlines by hacking into pro-ISIS accounts and replacing content with images of porn and gay pride messages. He says he has no interest in hacking the president, but that Trump's security settings may leave him vulnerable to other hackers.
According to WauchulaGhost, @POTUS, @FLOTUS and @VP are more vulnerable because they haven't selected a basic security feature on Twitter that requires you to provide a phone number or email address to reset your password. The current security setting for these three accounts allows anyone to click on "forgot password" and type in @FLOTUS, @POTUS or @VP. The next screen says "we found the following information associated with your account" and gives a partially redacted email address to which it will send a password recovery link.
WauchulaGhost says being able to fill in the missing letters and guess someone's email address is the first step hackers take when trying to breach an account.
"It's not hard for us to go figure out that email," he told CNNTech in a Twitter direct message. "I've taken over 500 Islamic State accounts."
WauchulaGhost says he found the likely email associated with Melania Trump's handle within twenty minutes. He said the email associated with Vice President Mike Pence was easy to guess once you saw the redacted version: email@example.com, which WauchulaGhost pieced together as firstname.lastname@example.org. It has since been changed, but the president and first lady's email addresses remain the same. (And the VP account still doesn't have the extra layer of security.)
CNNTech reached out multiple times to the White House and to Scavino to alert them to the lack of security on the accounts.
As of Tuesday morning, we have not received a response.
According to WauchulaGhost, once you have an email address for an account, the next step is gaining access to that email. Common tactics include malware, apps that guess multiple passwords at once, eventually forcing their way in, or using known information about a person to trick them into sharing their password.
"All I have to do is guess the email. Which I have been rather good at doing," WauchulaGhost told CNNTech via Twitter DM. "Then verify the email exists. At that point take the email account, reset Twitter password, boom....I own the Pres. Not saying I'm going to..haha. But it's rather easy for some."
It's likely more difficult than that. A representative from Twitter (TWTR, Tech30) said the company doesn't comment on individual accounts, but pointed out that the White House Communications Agency manages security protocols for White House accounts, which according to Twitter, go beyond two-factor authentication. And even two-factor authentication on its own would make it significantly more difficult for a hacker to take control of their Twitter handles.
But according to former State Department Senior Advisor Chris Bronk, the absence of this security setting on White House accounts opens a potentially dangerous door.
"Is it a grave vulnerability? Probably not. But it's tipping your hand. Every piece of evidence [a hacker] can build up to target your profile can be useful on an attack campaign," Bronk told CNNTech.
And even a temporary breach could have far-reaching consequences.
"These are accounts that can affect the national security of the United States at this point or the bottom line of the Dow Jones," Bronk said.
The emails attached to @POTUS and @FLOTUS are also connected to Gmail accounts, which are less secure. It would be safer to attach the account to a .gov email, Tanium CEO Orion Hindawi said. Social media accounts tied to corporate or government accounts often have built-in protections that keep people from breaking in. Even if a hacker figured out an email address and is attempting to phish it, an IT department is monitoring.
"Our recommendation: People use corporate-owned assets or corporate-owned emails so they can be monitored for suspicious behavior," Hindawi told CNNTech.
According to WauchulaGhost, people who want their Twitter accounts to be more secure, including the president should use the security setting that prompts you to type in your phone number or email in order to reset your password. In an age where personally identifiable information can lead to hacking attempts, the less you give the better. Security experts have warned that the president's Twitter account will be a target for hackers.
Both Barack Obama (@POTUS44) and Donald Trump's personal Twitter account (@RealDonaldTrump) appear to have the extra security setting. It was unclear whether security settings were shifted when Twitter changed the @POTUS account from Obama to Trump last Friday.