CIA exposed to potential intelligence interception due to X's URL bug An ethical hacker has exploited a bug in the way X truncates URLs to take over a CIA Telegram channel used to receive intelligence. Kevin McSheehan, who uses the online handle "Pad," spotted the issue after hovering over the link to the CIA's Telegram channel displayed on its X social media profile. After the CIA updated its …
So you are a Russian railway worker, not a fan of special military operations, and want to report how many trains of tanks you routed and to where.
What are you supposed to do? Hang around on park benches asking people if "the eagle flies south for the winter"?, ring Moscow information and ask for the local CIA tips line? write a letter to CIA HQ USA ?
>>> "We have done spectacularly badly in some recent wars because we had excellent intelligence on the terrain but a total lack of understanding of the people on the ground".
I confess I still don't understand people on the ground who forbid their daughters to go to schools and hang men for stealing.
Something's definitely wrong with me.
The Reg article is misleading. Why would you need an X profile impersonating the CIA? All that was needed was for the adversary to set up the Telegram profile that was linked to by the incorrectly shortened URL on the *real* CIA Twitter/X profile. That's why this was so dangerous until the white hat grabbed that Telegram handle and made it clear that it was not the CIA Telegram account.
If you set up a fake CIA X account you could put whatever Telegram handle you wanted in. The whole URL shortening issue would be neither here nor there.
Double whammy ?
The question would be how long before and whether the CIA cyber experts would recognise the difference between the two X profiles, until they tried to login to view the account...
What the fake X profile did was to prove that X does very little real checking of details and thus saw the two Telegram handles as being different even though they were in reality the same.
Looks to me like it was initially truncated for display (ie still pointing to the correct place) but then an intern updated the status by copying and pasting the whole thing, thereby losing the hidden part of the URL.
That's purely speculation on my part, but I wouldn't entirely blame X for this without further info.
"paying for verification"
Every use of the word verification in connection with Xitter should be preceded by the word so-called, or should at the very least be in quotation marks. Under the current regime, the word has taken on an Orwellian level of means-the-opposite-of-what-it-says'ness.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
