While the experts are warning the press about the fact that the American President Trump is still using his personal insecure Android smartphone, we have discovered that his Twitter is exposed to the risk of hack due to security misconfigurations.
The official @POTUS Twitter account was linked to a private Gmail account owned by President Trump.
The choice of using a private email and non-government email address put at serious risk the Trump account.
We don’t know if the @POTUS Twitter account is protected by a 2FA mechanism anyway in order to take over it hacked just need to access the Trump private email account.
Only Trump’s personal Twitter account seems to be protected by two-factor verification leveraging on a one-time passcode sent to the mobile device.
The bad choice was discovered by the researcher who goes online with moniker @WauchulaGhost.
WauchulaGhost made headlines in June 2016 when he hacked Twitter accounts used by ISIS militant and replaced content with images of porn and gay pride messages.
On Monday night, WauchulaGhost shared the disconcerting news posting the following message on Twitter
“Change your emails & Fix Settings.”
— WauchulaGhost (@WauchulaGhost) January 24, 2017
WauchulaGhost also reported similar problems with the email accounts linked to the First Lady Melania Trump (@FLOTUS) and VP Mike Pence (@VP).
“According to WauchulaGhost, @POTUS, @FLOTUS and @VP are more vulnerable because they haven’t selected a basic security feature on Twitter that requires you to provide a phone number or email address to reset your password. The current security setting for these three accounts allows anyone to click on “forgot password” and type in @FLOTUS, @POTUS or @VP. The next screen says “we found the following information associated with your account” and gives a partially redacted email address to which it will send a password recovery link.” reported the CNN.
“WauchulaGhost says being able to fill in the missing letters and guess someone’s email address is the first step hackers take when trying to breach an account.”
“It’s not hard for us to go figure out that email,” he told CNNTech
WauchulaGhost don’t want to hack the @POTUS Twitter account or Twitter accounts of his staff, he just wants to warn them of a wrong security posture.
The hacker has found the alleged Melania Trump’s email address associated her Twitter account in twenty minutes. He added that the email associated with Vice President Mike Pence was easy to guess, seeing the redacted version: firstname.lastname@example.org it is easy to imagine that it is email@example.com. The worst news is that the VP account isn’t protected by a second factor of authentication.
Once a hacker has discovered the email address for an account he can try to access the email to take over the Twitter account. This is possible by infecting the target machine with a malware or through a spear phishing attack.
“All I have to do is guess the email. Which I have been rather good at doing,” WauchulaGhost told CNNTech via Twitter DM. “Then verify the email exists. At that point take the email account, reset Twitter password, boom….I own the Pres. Not saying I’m going to..haha. But it’s rather easy for some.”
The situation is not so simple, a representative from Twitter confirmed that the White House Communications Agency manages security protocols for White House accounts that go beyond two-factor authentication.
“But according to former State Department Senior Advisor Chris Bronk, the absence of this security setting on White House accounts opens a potentially dangerous door.” states the CNN.
Dear President Trump, fix your security settings as soon as possible.
(Security Affairs – President Trump, hacking)