Twitter whistleblower reveals company's 'extreme' security liabilities
Twitter’s former head of security accuses the company of “extreme, egregious deficiencies” in its handling of user information and spam bots in a scathing whistleblower complaint.
Veteran hacker and security expert Peiter Zatko, also known as “Mudge”, claims Twitter has deceived users, board members, and the federal government about the strength of its security measures - accusing it of “extreme, egregious deficiencies”.
The base of the complaint
Zatko wrote in an analysis in February that was included in the complaint: “Twitter is grossly negligent in several areas of information security, if these problems are not corrected, regulators, media, and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”
Zatko filed the complaint, which was first reported by the Washington Post and CNN on Tuesday morning, to the Securities and Exchange Commission (SEC), Department of Justice, and the Federal Trade Commission (FTC). A redacted version of the complaint has been sent to multiple congressional committees.
The filing alleges that Twitter has violated its 2011 settlement with the FTC where the company said it would create an extensive security plan to protect users’ personal information. Zatko states that user data are vulnerable to hacks, including those coming from Twitter’s most high-profile verified handles.
A specific issue he raises is the access that thousands of Twitter employees have to the company’s core software and the low security he sees many of their hardware have. The complaint alleges that about 30% of laptops in the company automatically blocked updates that included security fixes - accusing Twitter executives of purposefully misleading the company’s board of directors about these vulnerabilities.
A presentation demonstrated late last year to the board’s risk committee showed that 92% of employees’ computers had security software installed. Despite his protests, Zatko alleges executives failed to tell them that a third of the company’s computers were still susceptible. After Zatko internally reported that the risk committee’s meeting may have been fraudulent, he was fired by the company's CEO, Parag Agrawal, in January.
The complaint also argues that Twitter has not been upfront about the number of spam bots it deals with. Zatko said he could not get Twitter to tell him a straight answer on how much spam and bots exist on the platform, adding that Agrawal was “lying” when he said in May that Twitter was “strongly incentivized to detect and remove as much spam” as possible and that company executives were instead encouraged to grow user numbers.
Twitter's string of scandals
Twitter has come under fire in recent months for its management of sensitive user information. Earlier this month, a former Twitter employee was found guilty of spying on Saudi dissidents and passing their information on to the Saudi government. The US Justice Department says he abused his access to Twitter user data, obtaining personal information from political dissidents and passing it on to Saudi Arabia in exchange for a costly watch and hundreds of thousands of dollars.
Twitter warned as well that municipal, state, and national governments around the world are increasingly requesting that the company erase content and reveal private information from user accounts, with the company stating that it fulfilled roughly 40% of all requests for user data. The company was also fined $150 million by the US federal government for collecting user email addresses and phone numbers for security purposes and then using them for marketing purposes.
In a statement, Twitter has denied Zatko’s accusations and said that he was let go for poor performance and leadership.
The company told CNN in a statement: “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that are riddled with inconsistencies and inaccuracies and lack important context... Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers, and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Zatko told the Washington Post that he felt “ethically bound” to report his findings and that it “is not a light step to take”.The complaint comes amid Twitter’s legal battle with Elon Musk after the latter dropped his plans to purchase the company for $44 billion, saying the company has underestimated the prevalence of bots on its platforms.
Twitter sued Musk for breaching the contract he signed to buy the tech firm, calling his exit strategy "a model of hypocrisy." The suit filed in the US state of Delaware urges the court to order the billionaire to complete his deal to buy Twitter, arguing that no financial penalty could repair the damage he has caused.
Representatives for Zatko told CNN he had not been in contact with Musk. Meanwhile, Musk’s attorney Alex Spiro said that they have issued a subpoena for him and “found his exit and that of other key employees curious in light of what we have been fighting”.
The company is scheduled to go to trial with Musk in Delaware in October.