Twitter has committed serious security lapses, the company’s former head of security, Peiter “Mudge†Zatko, has claimed in a complaint filed with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Justice Department.
In what could potentially streamline the acquisition of the microblogging platform by Elon Musk, Zatko alleged, as reported by CNN and The Washington Post, that Twitter has an underwhelming security culture, and its platform hosts several vulnerabilities just “waiting to be discovered.â€
Twitter has “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy,†Zatko said in the complaint delivered to the U.S. Congress and federal agencies last month.
Zatko further alleged that Twitter’s lax attitude toward the security on the platform (396.5 million users in total, 237.8 million mDAUs in Q2 2022) could easily pave the way for hackers, adversary governments, and others to compromise it, spy on it, and carry out misinformation or disinformation campaigns.
The complaint comes just weeks after the disclosure of a vulnerability that allowed threat actors to collect the data of millions of Twitter users and put it up for sale on the dark web. The company was also slapped with a $150 million privacy-related fineOpens a new window in May 2022.
Javvad Malik, a security awareness advocate at KnowBe4, told Spiceworks, “The allegations will definitely have a long-term effect on Twitter and possibly how other social media platforms manage the security of their platforms.
“The fact of the matter is that at the time of their inception, there was no way that social media organizations could have predicted the massive influence they would have on individuals, organizations, governments, and the world at large,†Malik added.
One of the more damning details shared by Zatko is his inability to control any possible manipulation of the platform made by engineers who sympathized with the January 6 insurrection because all engineers had access. “There was no logging of who went into the environment or what they did… Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.â€
Moreover, the leadership has not only misled the board about the security and the alleged existence of an official from the Indian government, but it has also not been upfront about the most significant point of contention between itself and Musk over its $44 billion acquisition.
“Musk is correct,†Zatko says in the 84-page complaint. “Twitter executives have little or no personal incentive to accurately ‘detect’ or measure the prevalence of spam bots.â€
Zatko revealed that Twitter obscures the actual number of fake/spam accounts or bots by measuring them as a percentage of the monetizable daily active users or mDAUs instead of the total number of users on the platform.
Zatko’s claims give teeth to Musk’s case against Twitter, which filed a lawsuit against the former for trying to terminate the acquisition over the bot issue. The Twitter v. Musk lawsuit is slated to go on trial in October this year.
Chris Clements, the vice president of solutions architecture at Cerberus Sentinel, told Spiceworks, “This is one of those situations where the reputation of the whistleblower itself immediately lends legitimacy to the allegations. On those grounds alone I believe this report deserves serious attention.â€
Zatko was hired by the then CEO Jack Dorsey in the aftermath of the July 2020 hack of Twitter accounts of nearly 130 of the world’s most prominent personalities. He left in January 2022 along with CISO Rinki Sethi (also hired in late 2020), just a couple of months after Parag Agrawal took overOpens a new window Twitter’s reins from Dorsey.
“This [whistleblowing] would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,†Zatko told The Washington Post. “I want to finish the job Jack brought me in for, which is to improve the place.â€
Zatko’s prior credentials include being a member of the ethical hacking group Cult of the Dead Cows in the 1990s and L0pht, where he worked on disclosing security vulnerabilities, earning fame as one of the good guys. With L0pht, he famously testified before the U.S. Senate in 1998 that they could take down the internet in 30 minutes, highlighting prevalent vulnerabilities of the time.
He later made a mark in the cybersecurity space by working for @stake, BBN Technologies, the Defense Advanced Research and Projects Agency (DARPA), the Advanced Technology & Projects division at Google, and payments startup Stripe before joining Twitter in November 2020.
Malik further told Spiceworks, “Mudge is a long-standing and well-respected member of the security community, and while it appears as if there could be an underlying clash of personalities with Twitter CEO Parag Agrawal, these should not detract from the quite serious security issues that have been highlighted.â€
Specifically, Zatko divulged the following:
- Senior executives have hidden security vulnerabilities,
- Four out of ten devices lack basic security standards,
- Twitter doesn’t have any visibility into what employees are doing, which translates into employees having no accountability for their actions,Â
- Almost 50% of Twitter employees have access to critical resources and sensitive user data (phone numbers, etc.)
- Thousands of employee devices have the Twitter source code,
- Automatic security fixes and firewalls were turned off in almost one-third of devices. These devices also had remote desktop access, a major cause of remote attacks,
- Half of Twitter’s 500,000 servers lack basic security such as encryption, run on outdated software and do not receive regular security updates,
- There aren’t any sufficient redundancies or procedures for data recovery in the event of crashes,
- Lack of oversight on employees allowed them to set up spyware at the request of external parties,
- Twitter faces one security incident per week (the company faced 40 security incidents in 2020),
- Twitter is aware of Spaces being misused, given it doesn’t have moderation,
- Twitter’s 2010 settlement with the FTCOpens a new window over failure to protect consumer personal information is a sham, and Twitter misled the federal body,
- Twitter was not transparent about how it counts bots and more.
See More: Elon Musk’s Twitter Acquisition Hangs In Balance As Layoffs Kick In
“By providing employees with unrestricted access to user data, Twitter is essentially losing control over its most valuable asset. Not only does this increase the likelihood of the data being compromised, but it also turns Twitter employees into prime targets for phishing scammers who are looking to steal the data,†Julia O’Toole, CEO of MyCena Security Solutions, told Spiceworks.
“Organizations must begin to realize that they are responsible for their data and have a duty to keep it safe. However, by allowing employees to create their own passwords and passkeys to access critical data, they are losing that control.â€
A Twitter spokesperson responded to the allegations:
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.â€
Rep. Frank Pallone (D, NJ) tweeted the following:
As Chairman of @EnergyCommerceOpens a new window , I’m carefully reviewing this whistleblower disclosure and assessing next steps. These allegations are alarming and reaffirm the need to pass my comprehensive privacy legislation to protect Americans’ online data. #ADPPAOpens a new window
— Rep. Frank Pallone (@FrankPallone) August 23, 2022Opens a new window
Clements also called for an independent review of Zatko’s claims. “It is vital to independently validate the scale and impact of the claims to fully understand the situation and it’s also important to understand that in any large organization, there are almost assuredly areas of cybersecurity gaps and risks that are monumentally challenging to completely eliminate.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!