An American hacker was able to use a glitch on the CIA’s X account (formerly known as Twitter) to direct potential informants to his own Telegram channel.
The link on the CIA’s Twitter channel offers informants ways to covertly contact the agency – and large amounts of the text is in Russian, to enable people within the country to contact the CIA.
Kevin McSheehan, 37, said that he noticed that the Telegram link on the X page could be hijacked, and redirected it to his own channel to prevent hostile nations exploiting the link.
McSheehan, who describes himself as a ‘pro-CIA patriot’ told the BBC, ‘My immediate thought was panic,’
‘I saw that the official Telegram link they were sharing could be hijacked – and my biggest fear was that a country like Russia, China, or North Korea could easily intercept Western intelligence.
‘The CIA really dropped the ball here.’
A hacker was able to divert people to his own Telegram channel
McSheehan is a so-called ‘white hat’ or ethical hacker, who uses skills similar to a criminal hacker to prevent data breaches.
The CIA’s X account displayed a link to a Telegram channel, but due to the way X displays links, it linked to an unclaimed Telegram username instead.
McSheehan noticed the issue, which had appeared some time after September 27, and registered the username himself.
That meant that anyone clicking on the link was directed to McSheehan’s own channel – where he warned them not to share any sensitive information.
McSheehan told the BBC, ‘I did it as a security precaution.
‘It’s a problem with the X site that I’ve seen before – but I was amazed to see the CIA hadn’t noticed.’
The CIA’s X page, which has 3.4 million followers, has one link on it, to secure ways to contact the organization.
The most prominent of these is the Telegram channel – which was open to be hijacked for several days at least.
The link at the bottom of the page had been truncated (CIA/X)
The page said, ‘At CIA, we have a solemn duty to protect those who work with us around the world. If you’re reaching out to CIA to share information about Russia, please do so securely via our portal on the dark web.
‘When possible, CIA has verified its social media accounts through each platform’s official process. This is CIA’s official Telegram channel.’
The link was automatically truncated to t.me/s/SecurelyCont – which meant that anyone who registered the account SecurelyCont could hijack the traffic.
McSheehan linked it to a channel which said, ‘THIS IS NOT AN OFFICIAL CIA CHANNEL — DO NOT SHARE SENSITIVE INFORMATION WITH ANYONE.’
It repeated the information in Cyrillic.
The CIA’s headquarters in Langley Virginia
Speaking to Motherboard, the Maine-based security researcher said, ‘I was motivated by National Security
‘I assumed that it was a very recent mistake and that a bad actor was going to capitalize on it at any minute. I didn’t even need to think—I just locked it down. I appointed myself the gig on the spot. I’m patriotic, very pro-CIA and have a documented history of whitehatting.’
McSheehan blamed technical changes at X (formerly Twitter) for the issue.
He said, ‘The CIA is solid. X has been buggy for months with links, text formatting, etc,. Blame really can’t be placed on the CIA. Did they drop the ball? Yes kind of—but everyone drops the ball sometimes.’
The issue was rapidly rectified after it was mentioned in media reports, but the CIA has not commented.
