this post was submitted on 20 Oct 2023
84 points (97.7% liked)

Technology

59374 readers
3392 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

A Researcher Hijacked the CIA's Secure Contact Link for Informants Due to a Flaw in X | Kevin McSheehan discovered that the CIA's link for informants was bugged on X, leaving the door open for a ma...::Kevin McSheehan discovered that the CIA's link for informants was bugged on X, leaving the door open for a malicious actor to impersonate the agency.

top 2 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 1 year ago* (last edited 1 year ago)

archive.org

Full text

A security researcher hijacked a Telegram link on X (formerly Twitter) meant to direct informants to a secure way to contact the CIA. Their motivation, they told Motherboard, was to prevent a malicious actor from hijacking the link first and impersonating the CIA for nefarious reasons.

As first reported by the BBC, 37-year-old Kevin McSheehan—who goes by “pad” online—discovered the issue by accident. Since May, the CIA has run a Telegram channel with instructions in English and Cyrillic for reaching out to the spy agency securely using the Tor browser for the dark web. McSheehan discovered that the link to that channel, which is posted to the CIA’s bio on X, was shortened so that it linked to an unclaimed Telegram account: “t.me/s/SecurelyCont.” Archived versions of the CIA’s X account confirm that this was the case since the beginning of October.

What this meant was that anyone in the world who noticed this flaw could register that Telegram account, and then anyone visiting it—potentially with the intention of becoming an informant for the CIA—would see whatever the attacker wanted. In theory, they could easily impersonate the CIA at the link, as it was prominently displayed on the agency’s official X page. McSheehan decided to register the Telegram link before a malicious actor could.

McSheehan called the Telegram channel “X/CIA URL ISSUE — SECURED BY X.COM/123456 [McSheehan’s X account].” The first post that greets visitors says, “THIS IS NOT AN OFFICIAL CIA CHANNEL — DO NOT SHARE SENSITIVE INFORMATION WITH ANYONE,” and repeats that message in Cyrillic.

“I was motivated by NATSEC,” McSheehan told Motherboard. “I assumed that it was a very recent mistake and that a bad actor was going to capitalize on it at any minute. I didn't even need to think—I just locked it down. I appointed myself the gig on the spot. I'm patriotic, very pro-CIA and have a documented history of whitehatting.”

The issue has since been corrected and the CIA’s X page now correctly links to the agency’s Telegram for informants.

According to McSheehan, the issue lies with X rather than with the CIA. “The CIA is solid. X has been buggy for months with links, text formatting, etc,” he said. “Blame really can't be placed on the CIA. Did they drop the ball? Yes kind of—but everyone drops the ball sometimes. Even in the [intelligence community].”

When reached for comment, X sent Motherboard a boilerplate response email.

“If any bug bounty…is offered related to this incident—I will decline it and instead have it issued to DAV (Disabled American Veterans) to thank them for their sacrifices,” McSheehan said. “I also thank the CIA at large for everything they do. They [catch] a lot of criticism—but they also catch a lot of terrorists. I'm infinitely grateful for having been able to assist them in any capacity.”

[–] [email protected] 2 points 1 year ago

Lol. Lmao even.