back to article CIA exposed to potential intelligence interception due to X's URL bug

An ethical hacker has exploited a bug in the way X truncates URLs to take over a CIA Telegram channel used to receive intelligence. Kevin McSheehan, who uses the online handle "Pad," spotted the issue after hovering over the link to the CIA's Telegram channel displayed on its X social media profile. After the CIA updated its …

  1. t245t Silver badge
    Facepalm

    Hostile nation could have exploited it to receive Western intelligence.

    No one not fitted for a straight-jacket would use X, Telegram or a URL shortener to carry-out intelligence.

    1. Yet Another Anonymous coward Silver badge

      Re: Hostile nation could have exploited it to receive Western intelligence.

      So you are a Russian railway worker, not a fan of special military operations, and want to report how many trains of tanks you routed and to where.

      What are you supposed to do? Hang around on park benches asking people if "the eagle flies south for the winter"?, ring Moscow information and ask for the local CIA tips line? write a letter to CIA HQ USA ?

      1. elsergiovolador Silver badge

        Re: Hostile nation could have exploited it to receive Western intelligence.

        Just post it to 4chan and anons will do the rest.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hostile nation could have exploited it to receive Western intelligence.

          Sure, Ivan Popov is an expert 4chan user.

        2. Anonymous Coward
          Anonymous Coward

          Re: Hostile nation could have exploited it to receive Western intelligence.

          Sure,you could post to 4chan if you want to leak confidential information about the US to Russia.

      2. CowHorseFrog Silver badge

        Re: Hostile nation could have exploited it to receive Western intelligence.

        as opposed to fans of special military operations who report fake numbers ?

        Pretty sure western intelligence have plenty of flying birds, they dont need trainspotters.

        1. Anonymous Coward
          Anonymous Coward

          Re: Hostile nation could have exploited it to receive Western intelligence.

          We have done spectacularly badly in some recent wars because we had excellent intelligence on the terrain but a total lack of understanding of the people on the ground

          1. Anonymous Coward
            Anonymous Coward

            Re: Hostile nation could have exploited it to receive Western intelligence.

            >>> "We have done spectacularly badly in some recent wars because we had excellent intelligence on the terrain but a total lack of understanding of the people on the ground".

            I confess I still don't understand people on the ground who forbid their daughters to go to schools and hang men for stealing.

            Something's definitely wrong with me.

  2. Anonymous Coward
    Anonymous Coward

    Brave man

    there are any number of laws in the UK that could have been dredged up to charge him and silence him.

  3. trevorde Silver badge

    Ridiculous!

    Which hostile nation is going to pay $8 USD/month for a verified account?

    1. Anonymous Coward
      Anonymous Coward

      Re: Ridiculous!

      Especially when you can just call Musk and get it for free

      1. anonymous boring coward Silver badge

        Re: Ridiculous!

        And make him do stuff for you.

    2. Dr Who

      Re: Ridiculous!

      The Reg article is misleading. Why would you need an X profile impersonating the CIA? All that was needed was for the adversary to set up the Telegram profile that was linked to by the incorrectly shortened URL on the *real* CIA Twitter/X profile. That's why this was so dangerous until the white hat grabbed that Telegram handle and made it clear that it was not the CIA Telegram account.

      If you set up a fake CIA X account you could put whatever Telegram handle you wanted in. The whole URL shortening issue would be neither here nor there.

      1. Roland6 Silver badge

        Re: Ridiculous!

        Double whammy ?

        The question would be how long before and whether the CIA cyber experts would recognise the difference between the two X profiles, until they tried to login to view the account...

        What the fake X profile did was to prove that X does very little real checking of details and thus saw the two Telegram handles as being different even though they were in reality the same.

  4. CowHorseFrog Silver badge

    Shortcuts, do they really save time ?

    1. Anonymous Coward
      Anonymous Coward

      If you have to type them, then yeah, they save time and make it easier to get it right, but wasn't this a clickable link?

  5. anonymous boring coward Silver badge

    Truncate URLs?

    Why? What good is a truncated one?

    1. Anonymous Coward Silver badge
      Alien

      Looks to me like it was initially truncated for display (ie still pointing to the correct place) but then an intern updated the status by copying and pasting the whole thing, thereby losing the hidden part of the URL.

      That's purely speculation on my part, but I wouldn't entirely blame X for this without further info.

      1. Anonymous Coward
        Anonymous Coward

        truncated urls date back to Twitter time, when it was using a sensible limit of 120 ascii characters

  6. C R Mudgeon Bronze badge

    El Reg Style Guide needs an update

    "paying for verification"

    Every use of the word verification in connection with Xitter should be preceded by the word so-called, or should at the very least be in quotation marks. Under the current regime, the word has taken on an Orwellian level of means-the-opposite-of-what-it-says'ness.

    1. Howard Sway Silver badge

      Re: El Reg Style Guide needs an update

      Actually, with the lack of checks, you're not paying for verification, you're just verifying that you've paid.

      1. Yet Another Anonymous coward Silver badge

        Re: El Reg Style Guide needs an update

        But like paying for TSA vip line it's part of the US belief that being able to pay makes you not-criminal

  7. aerogems Silver badge

    Twitler For Treason?

    Sadly this won't come even close to treason, or likely even any chargeable offense aside from Twitler being an impulsive asshole (which we already knew), and honestly the CIA should have spotted this sooner, but I can dream, can't I?

  8. scrubber

    Exploring Cigars and Inside Jobs

    Genuinely struggling to see how a hostile nation could use any information in a way that creates a larger net negative for humanity than the what the CIA would do with it.

  9. pjls

    An opportunity to mess with the CIA squandered.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like