The new American president’s Twitter account isn’t a means of communication as much as it is a tool for confusion, propaganda, and unceasing assault. But Donald Trump has shown his tweets can move the stock market, provoke foreign powers, and dominate news cycles, so the account’s potential to shake the world is unprecedented. And all that’s stopping an outsider from seizing control of @POTUS could be someone’s personal Gmail password.
If you forget your Twitter password, the company allows you to easily reset the code through a link sent to an email address you designate in your account settings. This same process makes it elementary to hijack that Twitter account if you have access to the email account in question: Just request a password reset, wait for the link to arrive, and lock your victim out of their own Twitter account. If two-factor authentication is enabled, it would impede but not necessarily stop a motivated or sophisticated attacker.
Trump’s account is an obviously juicy target for such an attack, representing what BuzzFeed’s Joe Bernstein described as “a national security disaster waiting to happen.” An unauthorized declaration of, say, imminent hostilities or economic sanctions coming from the president’s official account could destabilize the entire world.
According to hacker and Twitter user @WauchulaGhost, Trump’s account is set to email password reset requests to a personal Gmail account (it appears to be that of Dan Scavino, his social media chief), and it reveals the first two letters of the account (enough to surmise it’s probably Scavino’s). This signals to hackers that all they need to do to illicitly broadcast to the president’s 14 million online followers is get into said Gmail account, which may or may not be secured with some form of two-factor authentication. Even with such an extra layer of authentication, knowing the private email address of a senior White House employee would make them a target for spearphishing attacks like those that befell the DNC and John Podesta last summer.
According to a CNN report, WauchulaGhost “says he found the likely email associated with Melania Trump’s handle within twenty minutes, and “the email associated with Vice President Mike Pence was easy to guess once you saw the redacted version: email@example.com, which WauchulaGhost pieced together as firstname.lastname@example.org.”
It appears that in the days since WauchulaGhost first tweeted about the vulnerability, the option to reset the @POTUS password via text message or what appears to be an @DonaldJTrump.com address have been removed. Bizarrely, the Gmail option remains active as of today for both Trump and Press Secretary Sean Spicer:
The irony given Trump’s campaign assaults on Hillary Clinton’s use of a private email service is of course obvious.
Update: Jan. 26, 2017
An earlier version of this story did not address the possibility that two-factor authentication could impede unauthorized access to Trump’s Twitter account.
Update 2: Jan. 26, 2017
As of 1:02 PM today, the email required to reset Trump’s Twitter account was changed to what appears to be a White House address.