Peiter ‘Mudge’ Zatko claimed that Twitter is ‘over a decade behind industry security standards’ and that the company’s leadership is misleading the public about its issues.
Twitter’s former head of security told US lawmakers the company’s leadership chose “profits over security” and failed to address serious vulnerabilities.
Testifying before a US Senate judiciary committee yesterday (13 September), Peiter ‘Mudge’ Zatko made a number of claims about the company’s security practices and said changes are needed to protect its users and “democracy”.
Zatko was hired by Twitter in 2020 but was fired earlier this year after the company accused him of poor performance. He sent a disclosure to US Congress and US federal agencies in July with damning allegations about the company’s security practices and leadership, and then was called on to testify before lawmakers.
“I’m here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko said at the US Senate hearing.
Here are the main takeaways.
A focus on profits over security
Zatko claimed that when he joined Twitter, he found that the company was “over a decade behind industry security standards”, but that executives had a focus on revenue.
“When an influential media platform can be compromised by teenagers, thieves and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us,” Zatko said.
He added that Twitter employees shared concerns that organisations that “may or may not be” associated with China’s government were advertising on the platform, despite Twitter being banned within China.
The whistleblower claimed he spoke to a sales executive who said the company would not stop this advertising because “we’re making too much money from these sales”.
Foreign agents
Zatko raised concerns about foreign agents operating within Twitter and on the company’s payroll.
He said he was made aware of “at least one agent” from one of China’s intelligence services working within Twitter. He also believes “with high confidence” that another Twitter employee was an agent from India.
Zatko claimed Twitter executives he spoke with did not appear concerned about the risk of foreign agents within the company. He also said the company “simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them”.
He explained that it could be very valuable for a foreign intelligence agency to have agents within the company. He claimed that if an agency wasn’t putting agents in Twitter, it means “you’re most likely not doing your job”.
Inappropriate access to user data
On top of the risk of foreign agents within the company, Zatko claimed that Twitter doesn’t log the activity on its systems.
“There were thousands of failed attempts to access internal systems and nobody was noticing,” he said.
One of the main security vulnerabilities raised by Zatko in his claims was that Twitter employees also have access to “too much data”.
“It’s not far fetched to say that an employee inside the company could take over the accounts of all of the senators in this room,” he said at the hearing.
No fear of fines
The Twitter whistleblower said the company does not have a fear of certain US regulators, referencing the Federal Trade Commission, or FTC.
He said the company had a larger concern about certain data protection authorities outside of the US, such as France’s CNIL, due to the potential to issue more than a one-time fine. One-off fines “didn’t bother Twitter at all” and were “priced into” its business.
Zatko also said the company was being “allowed to grade their own homework” when it came to evaluations and examinations by regulators.
“I think the regulators have tools that do work, but they’re not able to see which tools in their tool belt are the ones actually working,” Zatko said.
Data collection
Zatko claimed that Twitter not only collects personal information on its users and employees, but is also unable to delete data on its systems because “they do not know where it is”.
He said he noticed an internal incident review from 2020 that said the data of 50m Twitter employees had been exposed, which confused him as the company does not have that many employees.
“Twitter has all of the information of all past employees, contractors and other users, because they haven’t deleted that data,” Zatko said.
Not Musk’s ‘smoking gun’
The US hearing comes amid the legal battle between Elon Musk and Twitter. The Tesla boss is attempting to back out of a $44bn takeover deal, claiming he didn’t receive enough information about fake accounts on the platform.
Musk’s legal team have subpoenaed Zatko, while experts have said that the former security chief’s claims could provide a “smoking gun” for Musk’s case.
However, fake accounts were not discussed in great detail during the US Senate hearing. Zatko also made some positive points about Twitter, claiming he still believes in the mission of the company and roots for its success.
When asked if he would buy the company, Zatko said he would but it depends “on the price”.
Twitter’s shareholders voted this week to approve the deal with Musk to buy the company for $44bn. This means Twitter will try to force the billionaire to buy the company for this price in court.
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.