An “ethical hacker” shows how easy it is to fool cyber security reporters
Original publication date: October 22. Updated (modified concluding paragraphs) October 25
Updated December 16: News from Dutch prosecutors (bottom of the post)
A remarkable story published today describes how famed Dutch “ethical hacker” — Victor Gevers — got access to Donald Trump’s Twitter account by correctly guessing the password: ’maga2020!’
Written by cybersecurity reporter @gerardjanssen for Dutch magazine Vrij Nederland, the story was breathlessly retweeted by countless other journalists and commentators: How could Trump’s security possibly be this ridiculously bad?
But by taking a closer look at the claims made by the hacker something else becomes clear: What’s ridiculously easy is not hacking Trump’s Twitter account but fooling experienced journalists.
The first claim that should have sparked skepticism is the password. The hacker says that he just guessed the password for Trump’s Twitter account, that there was no 2-factor authentication:
This is not remotely credible.
If Trump’s password really were that basic it would have been guessed in just a few seconds by any pro trying to hack his account. And obviously hundreds or thousands of pros will have already tried to hack the account.
Moreover, Twitter r̵e̵q̵u̵ir̵e̵s̵ recommends a stronger password than that even for ordinary users:
For the president of the United States (as well as for other high profile election related accounts) Twitter has strict additional security checks in place:
Just Missed It
But surely the journalist can ask the hacker to demonstrate to him that he has access. That could mean going into Trump’s account and letting the journalist watch as he controls the account. Too bad, that ship has sailed:
Well, if the journalist cannot be there to watch the hacker control the account in person, at the very least the hacker could have screen recorded or filmed himself as he controlled the account. Those things would not be 100% proof either as it would still be possible to fake them. But they would be something. They would at least show some effort, some ingenuity.
But what does the hacker offer?
And not a particularly interesting screenshot either:
This is almost comically unconvincing.
The screenshot of this part of a profile page could never show that the hacker had control of Trump’s account.
For one thing, it doesn’t show Trump’s handle (@realDonaldTrump). Anyone can just change their own account to look like what the screenshot shows by simply changing their own profile pictures to those that Trump has on his profile, and then typing “Donald J. Trump’ in the name box, and taking a screenshot.
You can do that in your own account right now.
It would get more interesting, more convincing if there were screenshots where the handle @realDonaldTrump does appear. Users can’t change their own handles to @realDonaldTrump, so if the hacker is in the user’s account settings and the handle “realDonaldTrump” is visible, then it would at least suggest that this is actually a screenshot of a page that only somebody logged into Trump’s account would have access to.
But even that would be easy to fake. You don’t even need any Photoshop skills.
Key point is that there is a difference between your local copy (in your browser, on your own computer) of a Twitter page and the page data as stored on Twitter’s servers.
You can easily ‘hack’ your own local copy, then post screenshots of that, and people may believe these are screenshots of the page as it’s stored on Twitter’s servers
How to do it?
Go to Trump’s profile, download the profile and header pictures.
Then log in to your own account, go to your profile page, ‘edit profile’ and put Trump’s pics where your pics were.
Now go to any page in your settings where your handle appears.
Right click on a text element on the page, select ‘inspect element’. That opens the elements panel.
You can now change the HTML/CSS on the page, and hence the text of any text element on the page.
So right-click on your handle, select ‘inspect element’ and change your handle to “@realDonaldTrump”.
Now change all the text and numbers (follower counts etc) to match the text and numbers on Trump’s profile.
If you need a blue check mark, you can add that too but it may be a bit more work and require a bit more skill. The simpler way may be to just ask a blue check mark friend to use their account for this little project.
Once you’ve changed everything you now have a local copy of your own Twitter profile that exactly matches what Trump sees when he is logged in to his own profile.
Now close the elements panel.
And take a screenshot of the page.
The hacker has more than just screenshots, though. He also has an anecdote:
But this does absolutely nothing to prove that it was him. Anybody can go through Trump’s timeline, pick a weird tweet and then write a blog post suggesting it was really them who wrote and posted that tweet.
Next the hacker says the US government did end up thanking him for his services. That’s proof, right? So does he show communication from the government? An email, for example?
No, he doesn’t even bother. He just tweets that it happened. No proof:
This was not a sophisticated hoax. It is barely the bare minimum. Anyone could have done the ‘technical’ part.
But if ‘anyone’ rather than a famed hacker had told a journalist the same story, with the same laughable evidence, the journalist wouldn’t have believed them.
So more than technical hacking skills, the hoax required a reputation for technical hacking skills.
And astonishingly, the hoax showed that such a reputation may not just be necessary to fool experienced cyber security reporters, it may be enough.
Which raises some questions: With such a wild claim supported by such weak evidence, did the hacker expect to be caught? Or did he genuinely expect to be believed?
Was he trying to get away with it so that he could add this ‘hack’ to his list of accomplishments and further grow his reputation?
Or was he trying to make an opposite point? Is he planning on coming clean soon, revealing that he did it as an elaborate stunt to show how easy it is to fool so many people?
Both scenarios seem pretty improbable. But are there less implausible alternative explanations?
After I first published this article I decided to ask the hacker, publicly and in DMs. And in his responses he insisted the hack really did happen. That denial of course doesn’t mean much as it is consistent with both scenarios.
What may be more meaningful is that some of his peers publicly support his claim. They don’t provide any additional evidence but they do try to persuade doubters that it really did happen. As does the Dutch journalist who wrote the original article and the second Dutch journalist to write about the story. From the latter’s article:
In a radio appearance the first journalist seems to have no doubts whatsoever about what the hacker told him, even if he freely admits (which also became patently obvious) that he lacks the technical knowledge to assess and respond to skeptical questions about the evidence. In general, in that appearance the journalist seemed to downright idolize the hacker, or function as the hacker’s PR person, excitedly listing the hacker’s alleged achievements, indignantly denouncing skeptics, and breezily dismissing the official denials from Twitter and the White House.
This is all very strange.
There is simply no good reason to think that the hacker actually hacked Trump’s Twitter account. The evidence that has been presented is comically weak. And nothing about the confident behavior of the hacker or his supporters changes that fact.
It just makes the whole thing even stranger.
Update December 16: Dutch prosecutors said in a press release today that they would not prosecute Gevers because logging in to Trump’s Twitter acount as an ethical hacker is not illegal:
Translation of the relevant part: “The OM (Dutch prosecutors) investigated and assessed the intentions and actions of the Dutch hacker. The OM assumes the hacker did in fact obtain access to Trump’s Twitter account but in doing so met the legal criteria that would make an ethical hacker’s actions not punishable by law.”
The curious thing about this statement is that they don’t write “The OM concludes” or “The OM determines” but “The OM assumes” the hacker did in fact obtain access.” This is frustratingly ambiguous as it could mean that they researched the issue, concluded that Gevers did access Trump’s account but that he did not break the law in doing so, or that they listened to Gevers’ story, checked the law and determined that under the assumption that Gevers’ story is correct, he would not have broken the law.
Early media reports about this new press release fail to note this ambiguity and fail to make this distinction and instead write that Dutch prosecutors determined that Gevers did in fact access Trump’s Twitter account. Some examples:
So we see the same lack of carefulness among major media organizations that we saw in the first reporting about the alleged hack. And the same lack of evidence.
What has changed, however, is that now that Dutch prosecutors have at least determined that Gevers’ actions would not have been illegal, one major obstacle for Gevers to present more convincing evidence for his claim may have disappeared:
As journalist Huib Modderkolk wrote, Gevers feared he could be prosecuted if he showed evidence. Now that prosecutors have said Gevers’ actions are / would have been legal, he may also be free to share the evidence without fear of prosecution (although it’s possible that publishing the evidence rather than just sharing it with the police would still be illegal).
If Gevers now no longer runs the risk of prosecution, all he has to do to convince the world is produce a piece of evidence that would not violate Trump’s privacy. The ball is in his court.
Update March 25: In a new article in De Volkskrant Dutch police and prosecutors state that they are convinced Gevers had access to the account:
They also say that when it comes to responsible hacking it is not the hacker’s job to prove they had access and that it is a bad idea to collect evidence to prove to the outside world that the hack was real. Hackers become prosecutable when they do that. The primary task should be to point out the problem so that it can be fixed:
Which is understandable but also frustrating.
Anyway, because the police explicitly say they are convinced the hack really did happen I am adjusting upwards my estimate of the probability that it did happen, but because:
- there is no convincing publicly available evidence
- the hacker did present *unconvincing* evidence
- the police may not have seen more evidence than the public has (given the fact that they say it is important not to collect too much evidence)
- the story sounds so improbable
I’m still thinking No.