Trump administration is giving us a good lesson on Twitter security

Recent mishaps with White House-related Twitter accounts are highlighting security risks with the social media service

Several recent incidents involving U.S. President Donald Trump's administration can teach users something about IT security -- particularly about Twitter and what not to do with it.

It turns out that several White House-related Twitter accounts -- including the president's official account, @POTUS -- until recently were revealing sensitive information that hackers might be able to exploit.

The problem revolves around the service’s password reset function. If the account holder doesn't take certain steps to secure it, Twitter exposes information that anyone with the right skills can use to uncover what email address -- in redacted form -- was used to secure a Twitter account.

A hacker who goes by the name WauchulaGhost noticed the problem and began tweeting about it. He found that the @POTUS account was secured to a Gmail address that, although partially redacted, could be guessed as belonging to a Trump aide in charge of social media.

screen shot 2017 01 26 at 3.19.20 pm Twitter

The hacker found the same issue with the Twitter accounts for the vice president, the first lady and Trump’s press secretary, all of which were also secured with Gmail addresses.

“It’s not hard to figure the emails out from there,” WauchulaGhost tweeted. “Once the email is exposed, there is a chance it can be compromised.”

Change your security settings

Exposing your email address to the public may seem harmless. But for government officials or business executives, it can be asking for trouble.

That’s what happened in last year’s election. An aide to presidential candidate Hillary Clinton was hacked by suspected Russian cyberspies through a phishing attack sent to his Gmail address. His emails were eventually stolen and leaked to the public.

A hack can be even more devastating if it affects a high-profile Twitter account. But anyone can be a target of such attacks, said Felix Odigie, CEO of Inspired eLearning, a company that specializes in security awareness training.

“People don’t really believe these threat actors are real, or they don’t believe it’s going to happen to them,” he said. “But it’s probably only a matter of time, before you get hit at some point.”

To prevent exposing your email address over Twitter, you can go into your account’s security settings and click “Require personal information to reset my password.” That’ll force anyone trying to reset your password to enter the correct email address or phone number to continue.

Use two-factor authentication and secure IT monitoring

Securing a presidential Twitter account with a Gmail address highlights another problem: Why are White House officials using third-party email providers?

In last year’s election, government IT security became a hot-button issue over Clinton’s use of a private email server. Critics feared it left her digital correspondence vulnerable to hacks.

Now the Trump administration has received some flak for securing presidential Twitter accounts to Gmail addresses. “It seems like bad form,” said Jake Williams, founder of security provider Rendition InfoSec. “It should really be a .gov address.”

“In that way, if there’s ever an attempt to enter the account, It’ll be monitored by their own information security people, as opposed to possibly nobody with Gmail,” he said.

That same advice can apply to any business. It's better to rely on corporate IT infrastructure, which can be more tightly controlled, than on common third-party email providers, Williams said.

He also suggests that people secure their Twitter accounts with two-factor authentication. This requires the user to enter both a password and a one-time special code sent to their mobile phone or generated over an authenticator app.

“If the attacker ever gets a hold of your password, they still won’t be able to access your account,” Williams said.

Twitter users can access this option by going to security settings and checking “verify login requests.”

Be careful with OAuth tokens

Earlier this week, the Trump administration found itself involved in another Twitter-related incident. The account for Badlands National Park in South Dakota tweeted a series of facts that seemed to challenge Trump’s assertion that climate change is a hoax.

The White House said an “unauthorized user” had used an old password from the National Park Service’s San Francisco office to access the account.

Williams suspects the Trump administration had changed the password to the park’s Twitter account but failed to revoke the OAuth token, which can also grant access.

Third-party applications can use OAuth tokens to connect to a Twitter account without the risk of handling sensitive password information. “Someone probably realized they were still hooked into the account, and decided to take it for a run,” Williams said.

The controversial tweets from the park’s account were quickly deleted, but the mishaps with the Trump administration Twitter haven’t stopped.

On Thursday, White House Press Secretary Sean Spicer was found tweeting and then deleting what appeared to be a password, although it’s still unclear what really happened.

screen shot 2017 01 26 at 9.16.32 am Twitter

Williams advises that White House officials use an option on TweetDeck, a Twitter dashboard, that asks the user to confirm the contents of a tweet before posting it.

“It's saved me from sending something erroneously more than once,” he said.

Join the PC World newsletter!

Error: Please check your email address.

Tags government

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?