Trump Twitter Hack Hoax

An “ethical hacker” shows how easy it is to fool cyber security reporters

Original publication date: October 22. Updated (modified concluding paragraphs) October 25

A remarkable story published today describes how famed Dutch “ethical hacker” — Victor Gevers — got access to Donald Trump’s Twitter account by correctly guessing the password: ’maga2020!’

Image for post
Image for post

Written by cybersecurity reporter @gerardjanssen for Dutch magazine Vrij Nederland, the story was breathlessly retweeted by countless other journalists and commentators: How could Trump’s security possibly be this ridiculously bad?

But by taking a closer look at the claims made by the hacker something else becomes clear: What’s ridiculously easy is not hacking Trump’s Twitter account but fooling experienced journalists.

Password

Image for post
Image for post

This is not remotely credible.

If Trump’s password really were that basic it would have been guessed in just a few seconds by any pro trying to hack his account. And obviously hundreds or thousands of pros will have already tried to hack the account.

Moreover, Twitter r̵e̵q̵u̵ir̵e̵s̵ recommends a stronger password than that even for ordinary users:

Image for post
Image for post

For the president of the United States (as well as for other high profile election related accounts) Twitter has strict additional security checks in place:

Image for post
Image for post

Just Missed It

Image for post
Image for post

Screenshots

But what does the hacker offer?

A screenshot.

And not a particularly interesting screenshot either:

Image for post
Image for post

This is almost comically unconvincing.

The screenshot of this part of a profile page could never show that the hacker had control of Trump’s account.

For one thing, it doesn’t show Trump’s handle (@realDonaldTrump). Anyone can just change their own account to look like what the screenshot shows by simply changing their own profile pictures to those that Trump has on his profile, and then typing “Donald J. Trump’ in the name box, and taking a screenshot.

You can do that in your own account right now.

It would get more interesting, more convincing if there were screenshots where the handle @realDonaldTrump does appear. Users can’t change their own handles to @realDonaldTrump, so if the hacker is in the user’s account settings and the handle “realDonaldTrump” is visible, then it would at least suggest that this is actually a screenshot of a page that only somebody logged into Trump’s account would have access to.

But even that would be easy to fake. You don’t even need any Photoshop skills.

Key point is that there is a difference between your local copy (in your browser, on your own computer) of a Twitter page and the page data as stored on Twitter’s servers.

You can easily ‘hack’ your own local copy, then post screenshots of that, and people may believe these are screenshots of the page as it’s stored on Twitter’s servers

How to do it?

Go to Trump’s profile, download the profile and header pictures.

Then log in to your own account, go to your profile page, ‘edit profile’ and put Trump’s pics where your pics were.

Now go to any page in your settings where your handle appears.

Right click on a text element on the page, select ‘inspect element’. That opens the elements panel.

Image for post
Image for post

You can now change the HTML/CSS on the page, and hence the text of any text element on the page.

So right-click on your handle, select ‘inspect element’ and change your handle to “@realDonaldTrump”.

Now change all the text and numbers (follower counts etc) to match the text and numbers on Trump’s profile.

If you need a blue check mark, you can add that too but it may be a bit more work and require a bit more skill. The simpler way may be to just ask a blue check mark friend to use their account for this little project.

Once you’ve changed everything you now have a local copy of your own Twitter profile that exactly matches what Trump sees when he is logged in to his own profile.

Now close the elements panel.

And take a screenshot of the page.

Voilà.

Anecdote

Image for post
Image for post

But this does absolutely nothing to prove that it was him. Anybody can go through Trump’s timeline, pick a weird tweet and then write a blog post suggesting it was really them who wrote and posted that tweet.

Contact

No, he doesn’t even bother. He just tweets that it happened. No proof:

Image for post
Image for post

Hoax

But if ‘anyone’ rather than a famed hacker had told a journalist the same story, with the same laughable evidence, the journalist wouldn’t have believed them.

So more than technical hacking skills, the hoax required a reputation for technical hacking skills.

And astonishingly, the hoax showed that such a reputation may not just be necessary to fool experienced cyber security reporters, it may be enough.

Which raises some questions: With such a wild claim supported by such weak evidence, did the hacker expect to be caught? Or did he genuinely expect to be believed?

Was he trying to get away with it so that he could add this ‘hack’ to his list of accomplishments and further grow his reputation?

Or was he trying to make an opposite point? Is he planning on coming clean soon, revealing that he did it as an elaborate stunt to show how easy it is to fool so many people?

Both scenarios seem pretty improbable. But are there less implausible alternative explanations?

After I first published this article I decided to ask the hacker, publicly and in DMs. And in his responses he insisted the hack really did happen. That denial of course doesn’t mean much as it is consistent with both scenarios.

What may be more meaningful is that some of his peers publicly support his claim. They don’t provide any additional evidence but they do try to persuade doubters that it really did happen. As does the Dutch journalist who wrote the original article and the second Dutch journalist to write about the story. From the latter’s article:

Image for post
Image for post

In a radio appearance the first journalist seems to have no doubts whatsoever about what the hacker told him, even if he freely admits (which also became patently obvious) that he lacks the technical knowledge to assess and respond to skeptical questions about the evidence. In general, in that appearance the journalist seemed to downright idolize the hacker, or function as the hacker’s PR person, excitedly listing the hacker’s alleged achievements, indignantly denouncing skeptics, and breezily dismissing the official denials from Twitter and the White House.

This is all very strange.

There is simply no good reason to think that the hacker actually hacked Trump’s Twitter account. The evidence that has been presented is comically weak. And nothing about the confident behavior of the hacker or his supporters changes that fact.

It just makes the whole thing even stranger.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store