Best practices

Trump’s @POTUS Twitter account left vulnerable for nearly a week

Set your expectations low for cybersecurity under President Trump.

Best practices

Trump’s @POTUS Twitter account left vulnerable for nearly a week

Set your expectations low for cybersecurity under President Trump.
Best practices

Trump’s @POTUS Twitter account left vulnerable for nearly a week

Set your expectations low for cybersecurity under President Trump.

For the period between the inauguration and earlier today, the Twitter account @POTUS was not maximally secure.

The account was registered to a Gmail email address, rather than a government one, and a security setting that would have prevented parts of that email address from being shown publicly was not enabled.

The oversight is conspicuous for an administration that has used Twitter to signify that statements — no matter how grandiose or combative — are coming directly from the president. If an attacker gained access to a presidential Twitter account and shared alarming information, it could sow panic, strain international relations, tumble the stock market, or worse.

Until Thursday, anyone who clicked the “Forgot password” link on Twitter and typed in @POTUS saw a redacted version of what appears to be the Gmail address of White House Director of Social Media Dan Scavino.

This meant that any communication done through or around the @POTUS account would not go through a government-controlled server, which is a concern for both security and transparency.

After public criticism, the account was updated to reflect two email addresses that appear to be attached to Whitehouse.gov.

In fact, @FLOTUS, @PressSec, and @VP were also linked to Gmail addresses. On Thursday, @FLOTUS and @PressSec were also changed to be associated with different, non-Gmail email addresses. Security settings on @VP were changed so that the public password reset page no longer shows the email address to which it’s registered. And @realDonaldTrump, the president’s primary account, currently requires a phone number or email address before it will display any information.

The negligence shows a cavalier approach to cybersecurity from the new administration.

By default, Twitter’s password reset feature will let anyone type in a username to see a redacted version of the email address registered to the account. Facebook has a similar feature, though it requires the phone number or email address registered to an account.

This oversight by the Trump administration was first pointed out earlier this week by WauchulaGhost, a pseudonymous hacker who rose to fame by hijacking hundreds of Twitter accounts associated with the terrorist group ISIS in order to fill them with porn and gay pride messages. WauchulaGhost noticed that @POTUS, @FLOTUS, and @VP had not enabled the security setting to obscure the email addresses associated with them.

WauchulaGhost shared the information with CNN Money, which spent three days attempting to contact the White House before finally publishing the report Tuesday. The accounts weren’t changed until Thursday, which suggests a glacial security response time by White House officials. (WauchulaGhost said that he or she has no plans to hack into any of the three White House Twitter accounts.)

The negligence shows a cavalier approach to cybersecurity from the new administration.

This discovery, coupled with the revelation that Trump is still using an unsecured Android handset to access Twitter, is striking in light of his prolonged criticism of rival candidate Hillary Clinton’s use of a private email server during her tenure as secretary of state.

Twitter is the president’s main means of communicating with the public, which is a new state of affairs for Americans, the government, and Twitter itself. The company manually stepped in to facilitate the transition of the account from Barack Obama to Donald Trump, which suggests it could intervene further to make its service more secure for the president. Twitter told CNN Money that the White House Communications Agency’s security protocols for White House accounts include more security features than just two-factor authentication, but it did not respond to a request for more information about the security of the @POTUS account and its level of responsibility.

Twitter watchers noticed at least two other peculiar email addresses registered to the Twitter accounts of prominent Trump allies: former New York City Mayor Rudy Giuliani, who Trump has tapped to advise him on cybersecurity, also appears to also be using Gmail, and Gen. Michael Flynn, Trump’s pick for national security adviser who is under investigation over his relationship with Russian officials, is using an email address that appears to be just three characters long.