October 18, 2023 at 09:05AM
An ethical hacker exploited a bug in the way X truncates URLs to take control of a CIA Telegram channel used for intelligence. The bug caused the Telegram link to be shortened incorrectly, allowing the hacker to register a new, unregistered handle. The issue could have exposed the CIA to espionage campaigns. The hacker posted a message on the channel discouraging the sharing of sensitive information and offered to hand over control to the US government. The CIA has since corrected the URL and provided information on how to securely contact the agency.
1. An ethical hacker named Kevin McSheehan, also known as “Pad,” discovered a bug in the way X truncates URLs that allowed him to take over a CIA Telegram channel used for receiving intelligence.
2. The bug was noticed when McSheehan hovered over the link to the CIA’s Telegram channel on its X social media profile.
3. After the CIA updated its profile, the Telegram link became shortened, cutting off part of the full username and allowing McSheehan to register the new, unregistered handle.
4. The correct Telegram URL should have been https://ift.tt/KIUN3sw, but X shortened it to https://ift.tt/uXlMgQC, creating an unregistered account name.
5. McSheehan registered the account name to prevent potential interceptions of intelligence.
6. X not only shortened the URL but also changed its path, which could have made the CIA vulnerable to espionage campaigns.
7. A hostile nation could have exploited the same issue to receive Western intelligence by creating a fake CIA account on X.
8. The fear was that the fake profile could have appeared identical to the genuine CIA X profile due to the way X truncates URLs.
9. The potential consequence could have been a sustained attack by an opposition near peer to intercept sensitive information meant for the CIA.
10. To prevent the sharing of sensitive information, McSheehan posted a message on the Telegram channel and offered to hand over control of the channel to the US government.
11. The CIA has since corrected the profile and now displays the correct Telegram URL, providing information on how to securely contact the agency in English and Russian.
12. The CIA has not responded to a request for comment, while X’s press office is currently unavailable.