Application security, Privacy, Data Security

Twitter whistleblower: Lack of access, data controls invite exploitation

Peiter “Mudge” Zatko, former head of security at Twitter, testifies at the Senate Judiciary Committee on Sept. 13, 2022, in Washington. Zatko claims that Twitter’s widespread security failures pose a security risk to user’s privacy and information and could potentially endanger national security. (Photo by Kevin Dietsch/Getty Images)
Peiter “Mudge” Zatko, former head of security at Twitter, testifies at the Senate Judiciary Committee on Sept. 13, 2022, in Washington. Zatko claims that Twitter's widespread security failures pose a security risk to user's privacy and information and could potentially endanger national security. (Photo by Kevin Dietsch/Getty Images)

Twitter’s logging, access and data controls are so poor that they practically invite exploitation by hackers, insider threats, disinformation agents and foreign spies, according to former chief information security officer and whistleblower Peiter “Mudge” Zatko.

In testimony to Congress, Zatko, a well-respected information security professional with a decades-long record of advocating for better security policy in the public and private sectors, said Tuesday that after joining Twitter as its CISO in November 2020 and speaking to engineers and employees, he realized the company was “more than a decade behind industry security standards.”

In particular, Twitter’s data infrastructure is so decentralized that not even leadership knows all the data the company collects or where it’s stored. When he brought those concerns to Twitter’s leadership, he claimed their incentive structure led them to prioritize “profits over security.”

“First, they don’t know what data they have, where it lives, or where it came from and so unsurprisingly, they can’t protect it. That leads to the second problem: employees need to have too much access to too much data on too many systems,” Zatko told the Senate Judiciary Committee.

Additionally, Twitter has repeatedly dealt with foreign governments bribing or enticing employees to hand over user data. In 2019, two employees were charged with acting as illegal foreign agents of Saudi Arabia, passing over sensitive user data on critics and dissidents of the royal family in exchange for money, and Zatko said the company’s also dealt with at least one Chinese foreign agent inside the company.

He also said in his time as CISO, he observed at least one instance where a likely foreign agent from India was placed inside the company to gain access to information related to Twitter’s ongoing negotiations with Indian government officials over requests to ban certain accounts and content. He also recalled routinely seeing Twitter account credentials listed for sale on the dark web.

But the status quo at Twitter and preoccupation of leadership with growth and managing other public crises meant the company “simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”

In the case of the Indian agent, he said he had to task a small internal team to develop the protocols needed to track and monitor just that one individual, a solution that isn’t scalable to Twitter’s larger employee base. The value of such access is so great and easy to gain that he surmised any foreign country not attempting to place agents inside the company wasn’t doing its job.

"From my understanding from people in the [intelligence] community who focus on foreign intelligence organizations and assets, if you placed somebody in Twitter…it would be very difficult for Twitter to find them, they would probably be able to stay there for a long period of time and gain a significant amount of information to provide back on either targeting people or information as to Twitter's decisions and discussions and as to the direction of the company," said Zatko.

When asked what data the company tends to collect on the average user, Zatko cited a user's phone numbers, their latest IP address, other IP addresses, their current email, prior emails, where they think the user lives, where they are currently connecting from, what language they speak, the type of device are they connected with, their web browser, and possibly their type of computer.

Twitter executives have denied Zatko's claims, and after his whistleblower complaint was made public, a company spokesperson said he was fired in January for "ineffective leadership and poor performance." According to the Wall Street Journal, the company paid Zatko $7 million in a settlement prior to his submission of the complaint. Questions and a request for comment sent to Twitter's press office were not immediately returned.

Committee chair Dick Durbin, D-Ill., made the case that Twitter’s infrastructure is too important to leave user data unsecured, likening it to customers giving their money to a bank who then leaves the vault “wide open.” He referenced a widely reported 2020 incident where two young hackers spear phished Twitter employees over the phone, posing as IT support to gain administrative access that allowed them to take over a number of high-profile accounts, including then-presidential candidate Joe Biden, former President Barack Obama, Elon Musk, Michael Bloomberg and others.

The potential for damage, Durbin argued, could have been far greater.

“We’ve already seen what can happen when small-time hackers break into Twitter accounts belonging to government officials, but what if next time it isn’t two teenagers trying to pull a crypto scam?” said Durbin. “Imagine if it’s a malicious hacker or a hostile foreign government breaking into the President’s twitter account, or sending out false information claiming there as a terrorist attack on one of our cities? We could see widespread panic.”

The failure to safeguard user information was already the subject of a 2011 consent decree the company agreed to with the Federal Trade Commission. However, Zatko said that FTC enforcement (usually in the form of one time fines) are viewed as toothless compared to regulation from other countries, like France, and his testimony indicated that the company hasn’t introduced the necessary safeguards to prevent a similar attack from succeeding in the future.

“It’s not far-fetched to say that an employee at the company could take over the accounts of all of the senators in this room,” he said. “Given the real harm to users and national security I determined it was necessary to take on the professional and personal risk to myself and my family of becoming a whistleblower.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.