After being deplatformed a little while ago, Donald Trump created his Twitter clone, Truth Social. As you can imagine, Truth Social launched to about as much fanfare as a fart in an elevator. Still, my curiosity got the better of me.
For whatever reason, the site is currently restricted to Canada and the United States. And, it is worth pointing out that this restriction is Truth Social themselves restricting which countries can access the site. I am not sure what the reason is for restricting access. Seems ironic given it’s meant to be a Twitter-esque site for free speech.
Step one: operation geoblock
Step one was bypassing the geoblock using a VPN. To the credit of whoever built the site, I had to cycle through a couple of VPN regions in Private Internet Access before I found one that worked. The couple I tried gave me an access denied message, most likely a CDN block.
I doubt whoever built the site created their own geo detection and block functionality. You can achieve this using Amazon Cloudfront and other online services that make this kind of task trivial.
The registration process is rather convoluted. Once you enter your date of birth and email address, you are sent a verification email. Once you verify, you must go back to the homepage and click “Create an account” again to be presented with the next step.
Step two: operation text message bypass
Once you confirm your email address and go to the next step, you’re asked to enter your phone number.
The two options for country code are +1 and +44. I live in Australia, which is country code +61. Notably absent from the list.
My first thought was to try entering +61, followed by my phone number, into the field, which didn’t work.
So, the next thing I tried was editing the HTML of the page using Developer Tools. It’s rather simple, right-click the select input and click “Inspect element.”
As you can see, the values are numeric without the plus in front. So, I edited 1 to be 61 to match my country code. I then entered my mobile number and clicked next.
Once you edit the value, click off the value (select the other option) and then the one you selected. Otherwise, the change won’t be set and still be +1.
The phone number gets posted to this endpoint: https://truthsocial.com/api/v1/pepe/verify_sms/request
The value sent up is the country code with plus followed by your number. In my case (and this is not my real number), it sent up something like this:
{
phone: "+61432123456"
}
Step three: profit???
I was able to register, even though I don’t live in Canada or the US. The title gives things away, but here is my verification text message. Easy peasy.
Whatever restriction they have on country and region appears superficial and easy to bypass. Not many would go to the effort to join Truth Social by editing HTML to bypass an SMS block. Maybe this is intentional?
The bigger question this raises is, what else are they not properly validating in their API? If I can get around their geoblock, even the text message part, were other shortcuts taken during the development of this site?
Oh, if you’re curious what Truth Social looks like:
It looks like someone took a design concept from Dribbble and turned it into a real site. Other than that, it’s a pretty Twitter-esque-looking social media platform. Perhaps most surprising was seeing real media outlets like Washington Examiner using the platform.
Bonus round: the old switcheroo
Then my curiosity went further. What would happen if I logged in and turned off my VPN?
Uh oh. The site goes into a death spiral, it seems. I get a tonne of, “The request was a legal request”, and the site gets confused.
Going back into Developer Tools paints a funny picture:
The site seems to know I am an authenticated user, so it keeps trying to request to load my timeline. But, looking at the payload, the response is the homepage with the denied message because the geoblock is kicking in.