Dutch ethical hacker logs into Trump's Twitter Account

[TitanTiger 20,499]

 

Quote

 

Last week a Dutch security researcher succeeded in logging into the Twitter account of the American President Donald Trump. Trump, an active Twitterer with 87 million followers, had an extremely weak and easy to guess password and had according to the researcher, not applied two-step verification.

The researcher, Victor Gevers, had access to Trump’s personal messages, could post tweets in his name and change his profile. Gevers took screenshots when he had access to Trump’s account. These screenshots were shared with de Volkskrant by the monthly opinion magazine Vrij Nederland. Dutch security experts find Gevers’ claim credible.

The Dutchman alerted Trump and American government services to the security leak. After a few days, he was contacted by the American Secret Service in the Netherlands. This agency is also responsible for the security of the American President and took the report seriously, as evidenced by correspondence seen by de Volkskrant. Meanwhile Trump’s account has been made more secure.

This is not the first time that Dutch hackers succeeded in taking over Donald Trump’s Twitter account. The first time was four years ago, just before the 2016 elections, when three hackers jointly managed to retrieve Trump’s password and access his account. That someone has now succeeded again, is remarkable. During the previous presidential elections Russian hackers attempted to influence the elections on a large scale. Subsequently, social media have taken various steps to prevent manipulation.

Today as well, barely three weeks before the presidential elections, attempts are being made from Russia and Iran to digitally influence the elections. Obviously, the President’s Twitter account is a target too. Twitter declines to respond on the record, stating that they never comment on security measures for individual accounts. Ronald Prins, founder of security company Hunt & Hackett and one of the best-known Dutch security experts, says: ‘I’ve known Victor Gevers for quite a few years. He has a reputation of devoting his life to finding vulnerabilities and always adopts a very ethical attitude in doing so. On the basis of what I know and have seen, his claim seems credible.’

2016 hack

Victor Gevers was also one of the three hackers who logged into Trump’s account in 2016. ‘That we would succeed in doing it again so soon, was not planned’, he says about the buildup to the action. The reason for making another attempt to hack Trump’s account was the reporting in the US about Hunter Biden. A hard disk owned by presidential candidate Joe Biden’s son was supposedly stolen or hacked – also because Hunter Biden used an easy to guess password (Hunter02). Gevers is familiar with leaked databases of old passwords and searched these for Hunter Biden’s data. After analysing these old databases, he felt that the information was incorrect. Hunter Biden used other passwords. Gevers: ‘I could tell that it wasn’t his password.’

It gives him the idea to check how good the security of verified Twitter accounts actually is. He looks at the account of Susan Rice, the former US national security adviser, and at that of Joe Biden. And also takes a look at Donald Trump, while he’s at it. ‘Doing spot checks, that’s my work: look for any leaks in security.’

Earlier discoveries by Gevers include an enormous Chinese database with the location data of 2.7 million inhabitants of Xinjang – China’s largest province and home to the Uyghurs. The poorly secured database contained all kinds of personal data: people’s ID number, nationality, phone number, date of birth, photos, employer, but also GPS coordinates of the places these individuals had visited. The existence of this database made it even clearer how meticulously China is monitoring the Uyghur minority in the country.

On Friday morning, almost absentmindedly, Gevers tries a number of passwords and their variations. On the fifth attempt: bingo! He tries ‘maga2020!’ (short for make America great again) and suddenly finds himself in the Twitter account of the American President. He is flabbergasted. Gevers: ‘I expected to be blocked after four failed attempts. Or at least would be asked to provide additional information.’ None of that.

On that Friday morning, Gevers has access to what is perhaps the most important Twitter account in the world and is in a position to send a message to 87 million people, the attentive world press, and government leaders. Gevers: ‘I did think: “Here we go again”.’

Illegal

After all, hacking an account is illegal. If Gevers wants to make it clear that he is acting with good intentions, he will have to proceed responsibly and document his steps. He takes screenshots. Then he sends an email to Donald Trump – ‘I still had an old email account of his’ – and sends a copy to the American organisation for digital security. He kindly advises Trump to take extra security measures. And perhaps use a somewhat longer password. Gevers even suggests one: !IWillMakeAmericaGreatAgain2020!, and adds instructions for activating two-step verification. ‘But I didn’t get a reply.’

So, he tries to warn others. Trump’s campaign team, his family. He sends messages via Twitter asking if someone will call Trump’s attention to the fact that his Twitter account is not safe. He tags the CIA, the White House, the FBI, Twitter themselves. No response.

Gevers: ‘Then on Saturday, I suddenly saw that two-step verification for the account had been activated.’ Two days later, in the evening, he receives an email from the American Secret Service. ‘Friendly. They were interested in my information. I forwarded everything to them.’ On Tuesday they speak digitally. They thank Gevers, telling him that they were unaware of the security leak. This still leaves the security researcher with a number of questions: ‘Why is it possible for someone from a different time zone to log into such an important account? Why doesn’t Twitter demand better passwords? If I can access his account, then foreign nations can do so as well, right? Why aren’t the persons who are supposed to protect the President informed when someone reports that his account is unsafe?’

Surprisingly easy

Matthijs Koot, security researcher at Secura, is also astonished at how easy it was for Gevers to take over Trump’s account. ‘To put it harshly: people who in the year 2020 still ignore basic advice on online security are a potential danger to themselves and to those around them.’

According to Koot, these risks also affect others. ‘Today, we are increasingly interconnected, which means that a hack of one individual’s account or computer may also undermine the privacy and security of others. After all, via Trump’s account you can also see private messages sent to him or refer others to links containing malware or to a fake login page.’ This raises the question of how responsible Twitter is when it comes to additional security measures. Koot: ‘They should either compel people to use additional authentication or, if people really don’t want this, make them use a complex password. The days of logging in with just a weak password are over.’

Twitter declines to respond to questions. The question remains why Trump was using such a weak and simple password. Gevers has a possible explanation: ‘Trump is over 70 – elderly people often switch off two-step verification because they find it too complicated. My own mother, for instance. For younger generations digital security is more self-evident.’

https://www.volkskrant.nl/nieuws-achtergrond/dutch-ethical-hacker-logs-into-trump-s-twitter-account~badaa815/

 

🤦‍♂️

Amateur hour in the Oval Office.

[TexasTiger 12,961]

What a moron. 🤦‍♂️

[Leftfield 2,617]

Would love to read through those personal messages. Can you imagine how much it's killing this guy not to be able to share them?

[TitanTiger 20,499]

2 minutes ago, Leftfield said:

Would love to read through those personal messages. Can you imagine how much it's killing this guy not to be able to share them?

I was going to say Trump (and the country) is lucky he's an ethical guy and reported it to the USSS.  But then who are we kidding?  If that's his password and no two-factor authentication is enabled, this Dutch guy isn't the only one to have gotten into his account.  China, Russia, North Korea, and/or Iran have all had access to it for God knows how long.

[McLoofus 35,182]

[Grumps 3,704]

Ethical hacker. Ha!

[TitanTiger 20,499]

1 hour ago, Grumps said:

Ethical hacker. Ha!

I work in network security.  Ethical hacking is a real thing.  Companies pay good money to people to have them try to break into their networks and computer systems to find vulnerabilities and help them secure those things.  In fact you can get a well-respected industry certification in this field:  Certified Ethical Hacker.

[AUEngineer2016 407]

17 hours ago, TitanTiger said:

I work in network security.  Ethical hacking is a real thing.  Companies pay good money to people to have them try to break into their networks and computer systems to find vulnerabilities and help them secure those things.  In fact you can get a well-respected industry certification in this field:  Certified Ethical Hacker.

Those companies know it's a lot quicker, easier, and cheaper to just give the hackers the passwords, right?

 

(/s should be obvious, but just in case)

[AUDub 11,158]

19 hours ago, Grumps said:

Ethical hacker. Ha!

Never heard the term "white hat?"

[Grumps 3,704]

2 hours ago, AUDub said:

Never heard the term "white hat?"

No.

[Grumps 3,704]

20 hours ago, TitanTiger said:

I work in network security.  Ethical hacking is a real thing.  Companies pay good money to people to have them try to break into their networks and computer systems to find vulnerabilities and help them secure those things.  In fact you can get a well-respected industry certification in this field:  Certified Ethical Hacker.

Awesome! Thanks for the education!

Who hired this guy to hack into Trump's account?

[TitanTiger 20,499]

9 minutes ago, Grumps said:

Awesome! Thanks for the education!

Who hired this guy to hack into Trump's account?

I don’t think anyone did. He and his team did it on a lark back in in 2016 and alerted the Secret Service to the issue back then.  That was that until the whole Hunter Biden thing came up in the press. As he was delving into that he revisited the POTUS’s Twitter account and realized  he’d changed the password verbatim to something they’d used as an example to make it stronger back in 2016 (maga2020!) and hadn’t turned on two factor authentication. So he again altered the Secret Service about it. 

[AUDub 11,158]

57 minutes ago, TitanTiger said:

I don’t think anyone did. He and his team did it on a lark back in in 2016 and alerted the Secret Service to the issue back then.  That was that until the whole Hunter Biden thing came up in the press. As he was delving into that he revisited the POTUS’s Twitter account and realized  he’d changed the password verbatim to something they’d used as an example to make it stronger back in 2016 (maga2020!) and hadn’t turned on two factor authentication. So he again altered the Secret Service about it. 

IOW more gray hat than white hat. 

[AUDub 11,158]

1 hour ago, Grumps said:

No.

It actually comes from old westerns, where the protagonist would wear a white hat and the villain a black one. 

[RunInRed 16,438]

Wait ... was his password really “maga2020!” 🤣

[Mikey 16,638]

On 10/23/2020 at 4:48 PM, TitanTiger said:

He and his team did it on a lark back in in 2016

There must be some woke definition of ethical that has yet to achieve popular use.

[SaltyTiger 7,816]

44 minutes ago, RunInRed said:

Wait ... was his password really “maga2020!” 🤣

Yes, it used to be "maga2016!"

This is not the first time that Dutch hackers succeeded in taking over Donald Trump’s Twitter account. The first time was four years ago, just before the 2016 elections,

[TitanTiger 20,499]

5 hours ago, Mikey said:

There must be some woke definition of ethical that has yet to achieve popular use.

Sometimes your ignorance is exasperating. Wake yourself up and realize this guy did the president and the US government a huge favor - twice now. Someone who was unethical would have sold the information off to a foreign government. Perhaps they would’ve given it to a criminal enterprise. Or they could have locked him out of it and posted links to gay porn on his Twitter feed. The more you talk about this the more you reveal how little you understand about it and just about anything else you try to chime in on. 

[Mikey 16,638]

12 hours ago, TitanTiger said:

Sometimes your ignorance is exasperating. Wake yourself up and realize this guy did the president and the US government a huge favor - twice now. Someone who was unethical would have sold the information off to a foreign government. Perhaps they would’ve given it to a criminal enterprise. Or they could have locked him out of it and posted links to gay porn on his Twitter feed. The more you talk about this the more you reveal how little you understand about it and just about anything else you try to chime in on. 

It's not complicated. Someone ethical wouldn't be hacking other people's accounts.

[TitanTiger 20,499]

6 hours ago, Mikey said:

It's not complicated. Someone ethical wouldn't be hacking other people's accounts.

Well I hate to break it to you but it is that complicated.  Ethical hackers and security experts, to be good at their jobs, have an existence in the “dark web” where known exploits, security vulnerabilities, databases of hacked passwords and such are traded and sold. They have to know what the bad guys know.

When this guy’s team first accessed Trump’s Twitter account in 2016 it was because they discovered his name in a database of names and passwords from a hack of LinkedIn that was floating around out the dark web. They realized he was using the same password for Twitter as he had been in LinkedIn. So they reported it to US authorities with some suggestions to make it more secure.  This time he tried it again and realized the POTUS had copied a suggested example password verbatim. He again didn’t exploit it, he notified them of it. That is what an ethical hacker does. They use their knowledge to help rather than exploit. They’ll discover bugs in computer code that cause security vulnerabilities and contact the company privately to give them time to fix it before they publish the vulnerability because by doing so it makes all computer systems more secure and doesn’t give bad actors a chance to use it against a person or organization. 

If it wasn’t for guys like this, every website and computer device you own would be far less secure and safe for you to use. 

[TitanTiger 20,499]

I'll also add that even though we're using the term "hacker" here, what the guy did doesn't technically fit the definition of "hacking."  He didn't exploit some mistake in Twitter's code or utilize some sort of cracking tool to brute force the President's password.  He literally just guessed it after 4 or 5 tries.  So Twitter wouldn't see a breach because no one was doing anything that would be considered odd.  It looks like a legitimate login, and because two-factor authentication was inexplicably not enabled, it worked.  

I will say this, this is not only an issue for Trump and the USSS, but for Twitter.  Because while the President shouldn't have been allowed to have such an easy to guess password and no 2FA on his account, Twitter also should have better protections in place for high profile accounts like this.  It's not hard to put in things that flag login attempts from overseas, or to force 2FA to be enabled on the account, or to implement IP filters that only allow logins from specified IP ranges.  Apparently none of these were in place if a guy can log in from the Netherlands without a hiccup or so much as a verification prompt to make sure it's legit.

[Mikey 16,638]

3 hours ago, TitanTiger said:

If it wasn’t for guys like this, every website and computer device you own would be far less secure and safe for you to use. 

Unless they were hired by their target to provide security, they were not acting ethically.

[TitanTiger 20,499]

11 minutes ago, Mikey said:

Unless they were hired by their target to provide security, they were not acting ethically.

Look, I can explain it to you, but I can't understand it for you.  

I suppose it would have been far better for someone to not check and not then notify the US gov't so he'd keep being an imbecile online and let China, Russia, or North Korea discover it instead.

[Mikey 16,638]

8 minutes ago, TitanTiger said:

Look, I can explain it to you, but I can't understand it for you.

Quoting Kayleigh, I see.

You don't have to explain it, I understand that angle of thinking and don't agree. I do not think it's ethical. Akin to finding a woman's purse on the street and going through it before turning it over to the authorities. Not totally crooked, simply slimy and unethical.

[TitanTiger 20,499]

2 minutes ago, Mikey said:

Quoting Kayleigh, I see.

I used that long before Kayleigh ever did.  Hell, it appears on this forum as far back as 2013.  It's a paraphrase of an old Ed Koch quote.

 

2 minutes ago, Mikey said:

You don't have to explain it, I understand that angle of thinking and don't agree. I do not think it's ethical. Akin to finding a woman's purse on the street and going through it before turning it over to the authorities. Not totally crooked, simply slimy and unethical.

Ok.  But the reality of the situation is, without guys who'll do this and then notify companies, software developers, organizations, and individuals, the insecure practices continue to be out there and eventually bad actors will find it.  That's why things don't work the simplistic way you think they should in this realm.  If they did, we'd all be more vulnerable.