Twitter Whistleblower: Lack of Access, Data Controls Invite Exploitation

Peiter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on September 13, 2022 in Washington. Zatko says Twitter’s widespread security flaws pose a security risk to users’ privacy and information and could potentially endanger national security. (Photo by Kevin Dietsch/Getty Images)

Twitter’s data logging, access and controls are so poor they virtually invite exploitation by hackers, insider threats, disinformation agents and foreign spies, says former security chief information and whistleblower Peiter “Mudge” Zatko.

During testimony before Congress, Zatko, a well-respected information security professional with decades of advocating for better security policy in both the public and private sectors, said Tuesday that after joining Twitter in as CISO in November 2020 and spoke to engineers and employees, he realized the company was “more than a decade behind industry safety standards.”

In particular, Twitter’s data infrastructure is so decentralized that not even management knows all the data the company collects or where it is stored. When he raised these concerns with Twitter management, he claimed that their incentive structure had caused them to prioritize “profits over safety.”

“First, they don’t know what data they have, where it is, or where it comes from, and unsurprisingly, they can’t protect it. This leads to the second problem: employees need to have too much access to too much data on too many systems,” Zatko told the Senate Judiciary Committee.

Additionally, Twitter has repeatedly dealt with foreign governments bribing or inducing employees to hand over user data. In 2019, two employees were accused of acting as illegal foreign agents of Saudi Arabia, passing on sensitive user data about critics and dissidents of the royal family in exchange for money , and Zatko said the company has also dealt with at least one Chinese foreign agent on the inside. the company.

He also said that during his time as CISO, he observed at least one instance where a likely foreign agent from India was placed within the company to gain access to information related to negotiations in Twitter course with Indian government officials over requests to ban certain accounts and content. He also recalled regularly seeing Twitter account IDs offered for sale on the dark web.

But the status quo on Twitter and executives’ preoccupation with growth and handling other public crises meant the company “simply lacked the fundamental capabilities to seek out foreign intelligence agencies and kick them out on their own.”

In the case of the Indian agent, he said he had to commission a small internal team to develop the protocols needed to track and monitor a single individual, a solution that is not scalable for the larger employee base. from Twitter. The value of such access is so great and easily obtained that he assumed that any foreign country that did not try to place agents within the company was not doing its job.

“From what I understood from the people of the [intelligence] community that focuses on foreign intelligence organizations and assets, if you put someone on twitter… it would be very hard for twitter to find them, they would probably be able to stay there for a long time and get a significant amount of information to provide information about people targeting or information about Twitter decisions and discussions and company direction,” Zatko said.

When asked what data the company tends to collect on the average user, Zatko cited a user’s phone numbers, last IP address, other IP addresses, current email, his previous emails, where he thinks the user lives, where he is currently logging in. , the language they speak, the type of device they are connected to, their web browser and possibly their type of computer.

Twitter executives denied Zatko’s claims, and after his whistleblower complaint became public, a company spokesperson said he was fired in January for “ineffective and poor leadership performance”. According to the Wall Street Journal, the company paid Zatko $7 million as part of a settlement before he filed the lawsuit. Questions and a request for comment sent to Twitter’s press service were not immediately returned.

Committee Chairman Dick Durbin, D-Ill., argued that Twitter’s infrastructure is too large to leave user data unsecured, likening it to customers giving their money to a bank who then leaves the vault behind. strong “wide open”. He referred to a widely reported incident in 2020 where two young hackers harassed Twitter employees over the phone, posing as IT support to gain administrative access that allowed them to take over a number of high-profile accounts. , including then-presidential candidate Joe Biden, former President Barack Obama, Elon Musk, Michael Bloomberg and others.

The potential for damage, according to Durbin, could have been much greater.

“We’ve seen what can happen when petty hackers break into Twitter accounts belonging to government officials, but what if next time it’s not two teenagers trying to pull off a scam crypto?” Durbin said. “Imagine if this is a malicious hacker or a hostile foreign government breaking into the President’s Twitter account, or sending false information claiming this is a terrorist attack on the one of our cities? We could see widespread panic.

The failure to protect user information was already the subject of a 2011 consent decree that the company agreed to with the Federal Trade Commission. However, Zatko said FTC enforcement (usually in the form of one-time fines) is considered ineffective compared to regulation in other countries, such as France, and his testimony indicated that the company does not failed to introduce the necessary safeguards to prevent a similar attack. to succeed in the future.

“It’s not far-fetched to say that a company employee could take over the accounts of all the senators in this room,” he said. “Given the actual harm to users and national security, I determined it was necessary to take the professional and personal risk to myself and my family to become a whistleblower.”