Update January 27: Following our coverage, the emails associated with President Trump’s @POTUS account were updated to what appears to be government addresses.
Win a trip to Amsterdam!
We've teamed up with Product Hunt to offer you the chance to win an all expense paid trip to TNW Conference 2017!
In midst of reports that the freshly inaugurated President Donald Trump is still using his old, insecure Android handset, it appears his phone isn’t the only security threat the country’s new commander-in-chief has ignored.
Yesterday, a hacker by the moniker ‘WauchulaGhost’ told CNN that the President, the Vice President and the First Lady were all vulnerable to attacks due to a basic security setting in Twitter that – for unknown reasons – they’ve neglected to activate.
The threat essentially revolves around a privacy setting on Twitter that requires users to provide a phone number or an email address when resetting a password. Failing to activate these safeguarding measures ultimately allows anyone to abuse the ‘Forgot Password’ feature to glean partial information associated with the accounts.
For example, when attempting to reset the password for either of the @POTUS, @VP and @FLOTUS accounts, Twitter will take you to a page that reads “[w]e found the following information associated with your account,” readily exposing partially redacted email addresses linked to the Twitter profile in question.
But here’s the problem: As WauchulaGhost explains, recovering the missing letters from such partial emails often marks the very first step hackers take when scheming to breach a target. The next step involves deploying various malicious tactics in hopes of baiting victims to disclose more credentials.
The resourceful hacker has since made this vulnerability more public, tweeting the fully recovered emails associated with the three accounts in question, accompanied by a message warning the president and his associates to immediately update their security settings.
— WauchulaGhost (@WauchulaGhost) January 24, 2017
Speaking with CNN, a Twitter representative said company policy forbids them from discussing individual accounts, but noted that the White House Communications Agency first-handedly manages security protocols for government accounts, which purportedly rely on custom protective measures that go beyond two-factor authentication – though enabling two-factor authentication significantly complicates things for hackers on its own.
The fact that the emails attached to @POTUS and @FLOTUS are connected to Gmail accounts makes them even more susceptible to attacks.
Since going public, Vice President Mike Pence and the First Lady have both updated the email addresses linked to their Twitter profiles, but Trump is yet to follow their example.
However, WauchulaGhost suggests that in order to be even safer, the accounts should also enable the extra security setting which prompts users to type in their phone number and email in order to reset the password.
Curiously, both Barack Obama (@POTUS44) and Trump’s personal Twitter account (@RealDonaldTrump) appear to have enabled the extra security setting, so it remains unclear why the safeguarding measure has been deactivated for @POTUS after Trump inherited the account last Friday.
It seems the newly-inaugurated commander-in-chief isn’t the only one to have neglected his Twitter security.
More shockingly, TNW has been able to confirm that at least five of Trump’s cabinet members and designees use Twitter accounts with deactivated safety features. Among others, the list most notably includes Secretary of Defense James Mattis, Secretary of Commerce Wilbur Ross, as well as Secretary of Labor Andrew Puzder.
In addition to lacking the extra security settings, Mattis, Ross and Puzder are all using their unofficial email addresses to log in to Twitter.
Other members with insecure settings include Chief Strategist Steve Bannon and Press Secretary Sean Spicer.
As State Department Advisor Chris Bonk told CNN, neglecting the additional safety settings probably doesn’t put the security of the accounts in grave danger, but “[e]very piece of evidence [a hacker] can build up to target your profile can be useful on an attack campaign.”
➤ Now on to something different: Pornhub reveals the Women’s March caused serious drops in porn traffic