Interesting... identity (proof/verification) seems to be the core issue here<p>> In order to bypass the measures X put in place to prevent bot capabilities, the developer inserted code into the project which would allow for the server to bypass X verification methods. Specifically, when X sends an authentication code to an account, the email is sent directly to the server (because the email associated with the account is located on the same server); the code responds by scraping the verification code and responding to X with it. While this tool is specifically coded for X, it is easily adaptable to any social media platform relying on a similar authentication structure. See Figure 9.<p>---<p>Mitigations<p>The authoring organizations recommend social media organizations implement the mitigations below to reduce the impact of Russian state-sponsored actors using their platforms in disinformation campaigns.<p>- Consider implementing processes to validate that accounts are created and operated by a human
person who abides by the platform’s respective terms of use. Such processes could be similar to
well-established Know Your Customer guidelines.<p>- Consider reviewing and making upgrades to authentication and verification processes based on the
information provided in this advisory;<p>- Consider protocols for identifying and subsequently reviewing users with known-suspicious user
agent strings;<p>- Consider making user accounts Secure by Default by using default settings such as MFA, default
settings that support privacy, removing personally identifiable information shared without consent,
and clear documentation of acceptable behavior.