Image:
Pool / Pool via Getty Images
Pool / Pool via Getty Images
A security researcher hijacked a Telegram link on X (formerly Twitter) meant to direct informants to a secure way to contact the CIA. Their motivation, they told Motherboard, was to prevent a malicious actor from hijacking the link first and impersonating the CIA for nefarious reasons.As first reported by the BBC, 37-year-old Kevin McSheehan—who goes by “pad” online—discovered the issue by accident. Since May, the CIA has run a Telegram channel with instructions in English and Cyrillic for reaching out to the spy agency securely using the Tor browser for the dark web. McSheehan discovered that the link to that channel, which is posted to the CIA’s bio on X, was shortened so that it linked to an unclaimed Telegram account: “t.me/s/SecurelyCont.” Archived versions of the CIA’s X account confirm that this was the case since the beginning of October. What this meant was that anyone in the world who noticed this flaw could register that Telegram account, and then anyone visiting it—potentially with the intention of becoming an informant for the CIA—would see whatever the attacker wanted. In theory, they could easily impersonate the CIA at the link, as it was prominently displayed on the agency’s official X page. McSheehan decided to register the Telegram link before a malicious actor could. McSheehan called the Telegram channel “X/CIA URL ISSUE — SECURED BY X.COM/123456 [McSheehan’s X account].” The first post that greets visitors says, “THIS IS NOT AN OFFICIAL CIA CHANNEL — DO NOT SHARE SENSITIVE INFORMATION WITH ANYONE,” and repeats that message in Cyrillic. “I was motivated by NATSEC,” McSheehan told Motherboard. “I assumed that it was a very recent mistake and that a bad actor was going to capitalize on it at any minute. I didn't even need to think—I just locked it down. I appointed myself the gig on the spot. I'm patriotic, very pro-CIA and have a documented history of whitehatting.”The issue has since been corrected and the CIA’s X page now correctly links to the agency’s Telegram for informants. According to McSheehan, the issue lies with X rather than with the CIA. “The CIA is solid. X has been buggy for months with links, text formatting, etc,” he said. “Blame really can't be placed on the CIA. Did they drop the ball? Yes kind of—but everyone drops the ball sometimes. Even in the [intelligence community].”When reached for comment, X sent Motherboard a boilerplate response email.“If any bug bounty…is offered related to this incident—I will decline it and instead have it issued to DAV (Disabled American Veterans) to thank them for their sacrifices,” McSheehan said. “I also thank the CIA at large for everything they do. They [catch] a lot of criticism—but they also catch a lot of terrorists. I'm infinitely grateful for having been able to assist them in any capacity.”
Advertisement