This morning Donald Trump post the retweet above. Whenever I see Trump retweet an account I don't recognize, I instantly have to start digging. Now I will show you how to dig as well.
My first big indication was that Trump retweeted this within 5 minutes. That seems rather quick, but still not enough to really make me declare this some bot. So I decided to dig further.
Twitter offers an API, which is an acronym for Application Programming Interface. It's how things like Hootsuite, Tweetdeck and even the Twitter mobile apps connect with Twitter. To help developers out, they also provide a console. So what does that show me? Well let me show you how to utilize this awesome forensic tool and then you can see exactly what I found.
First, you must have a Twitter account and be logged in in order to utilize the console.
Now go to the Twitter API console here https://dev.twitter.com/rest/tools/console (if it comes up blank, hit refresh.) You should see this screen:
(NOTE: The Twitter API console isn't that user friendly. If you aren't using a large monitor, then click the full screen icon on the top right of the gray console box.)
I highlighted the item you want to click above.
Next click the authentication drop down in the image above and select "OAuth 1". You will get a couple of pop-ups. Just click to authorize the app, then you will be logged into the console.
Now you're going to need to supply the tweet ID. Click on the template tab, as shown in the image above, and put the ID in there. To get the ID, you take the URL of the original twee, in this case
. The ID is that string of numbers at the end. Out that in the ID field above, as I have done above, and click the red "send" button.
Once you click send, the bottom boxes will fill with the results. What we want is the very last line in the right column:
As I noted above, this console isn't that friendly. If you don't see that line, then you may have to put the console into full screen mode by clicking the icon on the top right of the console. If you see the yellow, highlighted area in the image above, then you got the data you need, but it's cut off, so triple click on it to select that entire line (including the hidden stuff), then right click and select copy.
The line that starts with "source":, which I highlighted above, is what we are interested in.
So, what exactly does "source" mean? Well if you look at the description from the Twitter API docs:
Utility used to post the Tweet, as an HTML-formatted string. Tweets from the Twitter website have a source value of web.
In this case the source on that tweet comes up as:
\u003ca href=\"http:\/\/erased14087494.com\" rel=\"nofollow\"\u003eerased14087494\u003c\/a\u003e
That's simply encoded HTML for a link. It now shows erased erased14087494.com is the source of the Twitter API application used to post that tweet, which means it was either deleted by the user that created the app or by Twitter. Originally it showed:
"source": "\u003ca href=\"https:\/\/www.simonbravery.com\" rel=\"nofollow\"\u003eAvotova 06\u003c\/a\u003e",
If it were a tweet by an actual human through something like the web, Tweetdeck, Android, iPhone or another commonly used Twitter product, it would show that above.
Now just seeing the original source (simonbravery.com) wouldn't necessarily indicate that it's a bot. There are countless apps out there people use to post to Twitter. But the fact that this app was quickly deleted afterwards indicates that something very fishy is going on here, and I'm 99.9% sure that it is a bot someone was working on.
So now you have a little insight and are on your way to becoming a tweet sleuth. It's very interesting to see what has been retweeted from the people inside 1600
Pennsylvania Propaganda Avenue.