CIA exposed to potential intelligence interception due to X's URL bug
Musk's mega-app-in-waiting goes from chopping headlines to profile URLs
An ethical hacker has exploited a bug in the way X truncates URLs to take over a CIA Telegram channel used to receive intelligence.
Kevin McSheehan, who uses the online handle "Pad," spotted the issue after hovering over the link to the CIA's Telegram channel displayed on its X social media profile.
After the CIA updated its profile at some point after September 27, the Telegram link shortened, cutting off part of the full username, allowing McSheehan to register the new, unregistered handle.
The correct Telegram URL should have been displayed as https://t.me/securelycontactingcia
but X shortened it to https://t.me/securelycont
– at the time an unregistered account name.
McSheehan told the BBC, which first reported the story, that he registered the account name upon realizing it was available to mitigate any potential interceptions of intelligence.
Instead of just shortening the URL in the X profile, X shortened it in a way that completely changed the link's path, which could have left the CIA vulnerable to espionage campaigns.
Side-by-side images of the CIA's X profile. On the left is the current, fixed profile displaying the correctly shortened URL. On the right, the image shows how the URL appeared after it was erroneously truncated and directing to a different channel
The fear was that a hostile nation could have spotted the same issue and exploited it to receive Western intelligence.
- X marks the bot: Musk thinks spammers won't pay $1 a year
- Signal shoots down zero-day rumors, finds 'no evidence' of device takeover
- Australia threatens X with fine, warns Google, for failure to comply with child abuse handling report regs
- EU threatens X with DSA penalties over spread of Israel-Hamas disinformation
This could have made it possible to create a fake CIA account on X, using the same imagery and public-facing profile information, and paying for verification to increase the perceived legitimacy of the account.
The Telegram URL in the fake profile would also have appeared in the same way as it would on the genuine CIA X profile due to the way X truncates URLs.
"It was a perfect storm for something pretty bad to happen – and potentially in an undetected way for quite some time assuming a perfect replica of the CIA channel was produced," McSheehan said in an X post.
"I think this could have been a sustained attack run by an opposition near peer for the purpose of intercepting sensitive information meant to land in the CIA's inbox. The attack scenarios are dreadful."
After registering the account name, McSheehan posted a single message to the Telegram channel explicitly discouraging those who arrived on it from sharing any sensitive information.
He also explained the full story behind how he was able to assume control of a channel advertised by the CIA's official X account, the potential consequences if he hadn't got to it first, and that he was ready to hand over the channel to the US government.
The CIA has since changed its profile to display the correct Telegram URL, which publishes messages in English and Russian, pointing individuals to information on how to securely contact the agency.
The agency did not respond to The Register's request for comment, and X's press office auto-replied with "Busy now, please check back later." It beats the poop emoji, we suppose. ®