On Thursday, Politico revealed that Donald Trump’s former spokesman Jason Miller had quietly launched a new social media platform called GETTR, a site with a clear right-wing-leaning tagline: “Fighting cancel culture, promoting common sense, defending free speech, challenging social media monopolies, and creating a true marketplace of ideas.”
The site’s first few hours under the spotlight are not going very well.
Videos by VICE
Ashkan Soltani, a security and privacy researcher and former FTC chief technologist, already found a couple of potentially bad privacy bugs. The first, he said, allows anyone to brute-force the app’s API by feeding it a list of email addresses and getting a response that shows which ones have successfully registered with GETTR, effectively allowing anyone to know whether a given person is on GETTR. The second issue, Soltani explained in a tweet, is that it’s possible to see a list of users that any given user has muted or blocked.
Aesthetically and functionally from a user perspective, GETTR is almost a perfect copy of Twitter. GETTR users can follow other users, post, like other users’ posts, repost them or quote them, all with a user interface that’s nearly identical to Twitter’s.
Unlike Twitter, which offers users robust privacy and security features, GETTR is—at least for now—clearly a buggy, leaky clone. The app is somehow using Twitter’s API; in a test Motherboard did on the app, certain people who created GETTR accounts have been able to import seemingly all of their tweets and also their follower count and profiles into the app. On the “Create your account” page, GETTR says “If you use the same username that you use on Twitter, you may be able to import copies of your content from Twitter to GETTR.” Motherboard was unable to sign up for an account because email verification codes for three different email addresses were not sent by the app.
Staunch Trump supporter and Pennsylvania Senate candidate Sean Parnell has 178,400 followers on both GETTR and Twitter, according to screenshots on the app. When you scroll through his followers, it’s not clear how many of them actually have GETTR accounts.
“This app looks like a dumpster fire that was coded from the lavatory of Donald Trump,” Soltani told Motherboard. “It literally took me longer to copy the screenshot images off of my testphone than it did to find the actual bug.”
It’s not just a clone. It piggybacks on Twitter, pulling the social media’s trending topics and using them on GETTR, according to Soltani.
Within one minute of opening the app, while scrolling on an unrelated account, Motherboard was served blatantly violent, racist posts advocating for murdering Black people.
Have you found any bugs or other issues with GETTR? We’d love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, lorenzofb on Wickr and Wire, or email lorenzofb@vice.com
Cybersecurity reporter Zack Whittaker predicted in a tweet that someone is soon going to scrape all the website’s content, taking advantage of the fact that the API exposes a lot of information about any given post. That’s exactly what a hacker did with Parler, another right-wing social media site, in January. The hacker told Motherboard at the time that “Everything we grabbed was publicly available on the web; we just made a permanent public snapshot of it.”
The hacker, who went by donk_enby, had effectively scraped every single Parler post, allowing developers to make maps of videos uploaded to Parler by people who stormed Capitol Hill on January 6, and perhaps pinpoint the identity of some of the insurrectionists.
According to Politico, it’s not clear if Trump is at all involved with the GETTR, but the former president has been searching for a way to connect with his followers online after getting banned from Twitter and Facebook following the January 6 attack on the Capitol. Previously, he had launched a site that looked like Twitter as well, but where he was the only user. That site has since shut down.
GETTR did not immediately respond to a request for comment sent to an email address displayed on the app’s Google Play page.
Subscribe to our cybersecurity podcast, CYBER.