Fake Tweet Screenshot Proliferation

I was following some interesting discussions about how no one should trust a print screen of a tweet, and it got me thinking regarding how to overcome such a challenge.

What if somehow we could attach a verifiable piece of text (or image QR code) to a tweet that could quickly disprove a fake print screen or still optimistically could point that this print might be legit.

simulating a verifiable tweet card

I thought about using HMAC to solve this problem, where the secret is something that only Twitter knows and it’s tied to each user. Every tweet must have an SHA 256 signature, signature = HMAC(user.secret, tweet).

For the sake of UX/UI, this signature can show only its first ten characters, a short hash and it still retains a good number of permutations (16^10).

Now when you see a print screen claiming that @someone told “this and that” you can go to somewhere like twitter.com/check and type the username, the message plus its alleged signature and verify whether it’s fake or might be legit. 

Sounds good and simple, done:

package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"fmt"
)
func main() {
handle := "@someone"
secret := "secret" // belonging to handle
tweet := "tweeted a cat"
h := hmac.New(sha256.New, []byte(secret))
h.Write([]byte(tweet))
sign := hex.EncodeToString(h.Sum(nil))
sep := "—————————————"
fmt.Printf("%s\n%s \n%s \n{sign=%s}\n%s\n", sep, handle, tweet, sign[0:10], sep)
}
view raw tweet_fake.go hosted with ❤ by GitHub

Of course not, such an idea needs to be refined and proven to be safe. I foresee many challenges, one of them being, let’s say someone is trying to check a print however this person might not be able to replicate the images, emojis, special characters or even to match the number of spaces/newlines. 

For that reason, a kind of allow list filtering out anything else might be in hand. The question is, what characters such a set would hold? The basic Latin character set [a-z, A-Z] is not enough. We have special accent characters in languages such as Portuguese, Spanish and French. And languages such as Hebrew, Japanese, Chinese are best represented by Unicode/UTF-8 characters.

Also, since I’m not a security specialist in any capacity, I don’t know what happens if the secret remains the same over time with a ton of tweets and signatures exposed. Is it possible for an observer to break this thing?

Well, that’s my silly approach to try to fight the Fake Tweet Print Screen. What do you think? Is it feasible? Is it even necessary to build such a system? Or is it just a plain stupid idea?

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s