Fact Check
A screenshot showing the supposed configuration file went viral across the platform formerly known as Twitter.
Jack Izzo
Published July 26, 2024
");}else if(is_tablet()){slot_number++;document.write("
Advertisment:
");}
Claim:
A screenshot accurately showed a list of X users, all prominent conservative accounts, who were allowed to post racial slurs without facing repercussions.
Rating:
FakeAbout this ratingOn July 25, 2024, an X user named "Anti-Fascist Turtle" posted an image allegedly showing a list of accounts on that social platform that were allowed to break the site's terms of service without penalty, including a list of racial slurs the accounts were supposedly allowed to use.
The accounts included prominent conservative accounts like EndWokeness and LibsOfTikTok, former U.S. President Donald Trump, X owner Elon Musk and the official account of the Russian Ministry of Foreign Affairs. The "Anti-Fascist Turtle" account was suspended by the platform not long after making the post.
But it was too late — the post had already gone viral, and original poster's account being suspended only increased how fast the image spread. The original poster dubbed the screenshot and its supposed findings a "Twitter API leak," and many users used that phrasing when sharing the post.
Snopes readers wrote to ask us to investigate whether the Twitter API leak and its alleged findings were real. We found that the image was fake, and that the findings were not real.
In order to best understand the fine details of the situation, Snopes spoke via direct message with cybersecurity expert and hacktivist maia arson crimew, best known for publishing a 2019 version of the TSA's no-fly list.
Crimew drew specific attention to the content of the lists, calling them "perfectly optimized for outrage," given the large public profiles of the accounts and the list of words the accounts could supposedly use consisted of mostly racial slurs.
In response to the outrage, that poured in on the platform after the post went viral, X added the rarely-used "manipulated media" tag underneath the posts. However, crimew said adding the tag might have backfired because people were generally unfamiliar with it.
"It just made people think even harder it's a conspiracy," she said.
Given some of the biases users on the platform hold against the company and Musk, crimew had a point. Seeing a "manipulated media" tag and the original poster's account suspension may have led people to believe the company was attempting to cover up "the truth."
So what was actually going on?
Okta
According to crimew, the screenshot claimed to show a "configuration file" for X hosted on an Okta server. The screenshot contained a list of accounts supposedly "excluded from automatic moderation and a list of words [said accounts] allegedly aren't being automatically moderated for [using]."
Okta is a company known as an "identity provider" — it produces software that allows other companies to add authentication to sites.
When signing into a modern website, users are asked to either provide a username and a password, or they can click a button allowing them to sign in with another platform, most commonly Google or Facebook. Okta makes software comparable to the "sign in with Google" button, but with even more power and integration behind the scenes.
According to crimew, former X employees have said that the company did use Okta, but only internally. Furthermore, Okta's software plays no part in user moderation.
In other words, finding information related to user moderation on an Okta server, which likely would have been managing logins and authentications, would be strange — like finding a live shark in a refrigerator.
Snopes reached out to Okta to ask for a comment on the matter. A spokesperson for the company told us via email that the screenshot was fake.
Moderation on X
Another major problem with the supposed leak that X already had a moderation feature that could theoretically do the same thing.
Internet moderation is frequently automated because people post too much content for humans to manually review all of it. However, automatic moderation creates its own problems, including mass reporting brigades. In order to avoid such problems, X can add a flag to individual account profiles that requires any moderation actions against that profile to be manually approved.
While X does not officially state what this tool is meant for, crimew said social media sites use similar tools for three reasons: safeguarding against mass reporting; ensuring that official government accounts are not targeted by automatic moderation, which could otherwise have unintended geopolitical impacts; and to easily comply with requests to preserve social media activity from law enforcement agencies.
The system has been public knowledge since the so-called "Twitter Files," which Musk released to a select group of journalists and writers when he bought the company in 2022. A screenshot of the moderation tool appeared in a December 2022 TechCrunch article, where it was applied to the account LibsOfTikTok, also notably featured on the supposed list from the API leak.
However, this simply underlies the fact that the X platform already has such a tool. Crimew said the supposed API leak would have been a second, more-primitive implementation of the same feature. In other words, if X leaders truly wanted to allow the small list of accounts present on the API leak to break the website's rules, they would have already had the tools to do so.
Snopes reached out to X to ask for comment about the screenshot beyond the "manipulated media" tag the site had applied to the posts sharing the supposed leak. A spokesperson confirmed via email that the screenshot was fake. The spokesperson also provided us a link to a X post from one of the company's security engineers publicly stating that the screenshot was fake.
At this point in our investigation, we were quite confident that the screenshot and its supposed findings were fake. Our last step was to attempt to determine where this misinformation came from.
Vx-underground
The story began with vx-underground, an online website and research group for malware that claims to have the world's largest collection of malware code samples. Vx-underground's administrator and founder, smelly_vx, takes tips and discusses cybersecurity breaches and hacks on the site's X account.
According to a thread posted by the vx-underground account on X, smelly_vx received an anonymous DM on X with a link to the screenshot that would end up going viral. After a brief look, he chose to share the screenshot and information to vx-underground's Discord server. However, when he posted the image on Discord, writing "prepare for twitter s***storm. someone found exposed okta configs for twitter. twitter gives priv[eliges] to right-wing platforms," he had not verified whether the information was legitimate.
The group quickly began investigating the supposed leak, but could not reproduce anything. As such, vx-underground decided to pass the screenshot on to someone else to investigate. However, one unidentified user shared a redacted version of the post on Discord to X, leaving vx-underground members scrambling to figure out what had happened while the post was going viral.
The vx-underground team declined to publish a correction because the issue would be "forgotten in the next 2 days," but repeatedly directed commenters to a post explaining that they had not been able to independently verify any of the information.
According to an X thread posted by the user Rhinozzcode, who collaborates with crimew, neither smelly_vx's announcement on the vx-underground Discord server nor the X post that sent the post viral noted that the supposed information had not yet been verified.
Sources
Coldewey, Devin. "Musk's 'Twitter Files' Offer a Glimpse of the Raw, Complicated and Thankless Task of Moderation." TechCrunch, 9 Dec. 2022, https://techcrunch.com/2022/12/09/musks-twitter-files-offer-a-glimpse-of-the-raw-complicated-and-thankless-task-of-moderation/.
"Diving Deep into the Abyss of Cybersecurity: A Voyage through VX-Underground." The Final Hop, 29 June 2023, https://www.thefinalhop.com/diving-deep-into-the-abyss-of-cybersecurity-a-voyage-through-vx-underground/.
Employee and Customer Identity Solutions | Okta. https://www.okta.com/. Accessed 26 July 2024.
Hearing, Alice. "TSA's No-Fly List Was Exposed by a 'Bored' Hacker." Fortune, https://fortune.com/2023/01/23/tsa-no-fly-list-exposed-commuteair-hacker-maia-arson-crimew-found-when-bored/. Accessed 26 July 2024.
Hollingworth, David. Outcry after Alleged 'Protected' List of Far-Right X Users Leaked Online. 25 July 2024, https://www.cyberdaily.au/culture/10883-outcry-after-alleged-list-of-list-of-protected-list-of-far-right-x-users-leaked-online.
How Vx-Underground Is Building a Hacker\'s Dream Library. https://therecord.media/how-vx-underground-is-building-a-hackers-dream-library. Accessed 26 July 2024.
Thalen, Mikael. "Elon Musk Didn't Secretly Give Trump Permission to Say the N-Word on X." The Daily Dot, 25 July 2024, https://www.dailydot.com/debug/twitter-api-leak/.
"X.Com." X (Formerly Twitter), https://x.com/RhinozzCode/status/1816542571650585036. Accessed 26 July 2024.
"---." X (Formerly Twitter), https://x.com/SaudaBTD6/status/1816252277335941578/photo/1. Accessed 26 July 2024.
"---." X (Formerly Twitter), https://x.com/awawawhoami/status/1816248198442209390. Accessed 26 July 2024.
By Jack Izzo
Jack Izzo is a Chicago-based journalist and two-time "Jeopardy!" alumnus.
Advertisment:
Article Tags
TwitterHackersHacking
");}}// Page is not a test page, add the sticky adelse{// Create the inner div elementvar innerDiv = document.createElement("div");innerDiv.className = ad_name;// Get a reference to the body elementvar body = document.getElementsByTagName("body")[0];// Insert the outer div as the first child of the bodybody.insertBefore(innerDiv, body.firstChild);}Advertisem*nt:
') }
