Thursday, 26 January 2017

Trump and staff still use private email and bad security settings for Twitter

In midst of reports that the freshly inaugurated President Donald Trump is still using his old, insecure Android handset, it appears his phone isn’t the only security threat the country’s new commander-in-chief has ignored.

Yesterday, a hacker by the moniker ‘WauchulaGhost’ told CNN that the President, the Vice President and the First Lady were all vulnerable to attacks due to a basic security setting in Twitter that – for unknown reasons – they’ve neglected to activate.

The threat essentially revolves around a privacy setting on Twitter that requires users to provide a phone number or an email address when resetting a password. Failing to activate these safeguarding measures ultimately allows anyone to abuse the ‘Forgot Password’ feature to glean partial information associated with the accounts.

For example, when attempting to reset the password for either of the @POTUS, @VP and @FLOTUS accounts, Twitter will take you to a page that reads “[w]e found the following information associated with your account,” readily exposing partially redacted email addresses linked to the Twitter profile in question.

But here’s the problem: As WauchulaGhost explains, recovering the missing letters from such partial emails often marks the very first step hackers take when scheming to breach a target. The next step involves deploying various malicious tactics in hopes of baiting victims to disclose more credentials.

The resourceful hacker has since made this vulnerability more public, tweeting the fully recovered emails associated with the three accounts in question, accompanied by a message warning the president and his associates to immediately update their security settings.

Trump and staff still use private email and bad security settings for Twitter
Speaking with CNN, a Twitter representative said company policy forbids them from discussing individual accounts, but noted that the White House Communications Agency first-handedly manages security protocols for government accounts, which purportedly rely on custom protective measures that go beyond two-factor authentication – though enabling two-factor authentication significantly complicates things for hackers on its own.

The fact that the emails attached to @POTUS and @FLOTUS are connected to Gmail accounts makes them even more susceptible to attacks.

Since going public, Vice President Mike Pence and the First Lady have both updated the email addresses linked to their Twitter profiles, but Trump is yet to follow their example.

No comments:
Write comments