Twitter whistleblower reveals company’s ‘extreme’ security responsibilities


Twitter’s former chief security officer accuses the company of “extreme and glaring deficiencies” in its handling of user information and spam bots in a scathing whistleblower complaint.

  • Ex-executive slams ‘extreme’ Twitter security hacks

Veteran hacker and security expert Peiter Zatko, also known as “Mudge”, claims that Twitter has misled users, board members and the federal government about the strength of its security measures – the accusing him of “extreme and flagrant deficiencies”.

The basis of the complaint

Zatko wrote in an analysis in February that was included in the complaint: “Twitter is grossly negligent in several areas of information security, if these issues are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn of Twitter’s severe lack of basic security.

Zatko filed the complaint, which was first reported by the Washington Post and CNN Tuesday morning at the Securities and Exchange Commission (SEC), the Department of Justice and the Federal Trade Commission (FTC). A redacted version of the complaint was sent to several congressional committees.

The filing alleges that Twitter violated its 2011 settlement with the FTC where the company said it would create an extensive security plan to protect users’ personal information. Zatko says user data is vulnerable to hacks, including those from Twitter’s most prominent verified handles.

A specific issue he raises is the access thousands of Twitter employees have to the company’s core software and the low level of security he sees on much of their hardware. The complaint alleges that about 30% of the company’s laptops automatically blocked updates that included security patches, accusing Twitter executives of deliberately misleading the company’s board about these vulnerabilities.

A presentation made late last year to the board’s risk committee showed that 92% of employee computers were equipped with security software. Despite his protests, Zatko alleges that executives did not tell them that a third of the company’s computers were still sensitive. After Zatko reported internally that the risk committee meeting may have been fraudulent, he was fired by company CEO Parag Agrawal in January.

The complaint also claims that Twitter has not been upfront about the number of spam bots it deals with. Zatko said he couldn’t get Twitter to tell him a straight answer about how much spam and bots exist on the platform, adding that Agrawal was “lying” when he said in May that Twitter had “strong incentives to detect and remove so much spam”. as possible and that company leaders were instead encouraged to increase the number of users.

The series of scandals on Twitter

Twitter has come under fire in recent months for its handling of sensitive user information. Earlier this month, a former Twitter employee was convicted of spying on Saudi dissidents and passing their information to the Saudi government. The US Department of Justice says it abused its access to Twitter user data, obtaining personal information from political dissidents and handing it over to Saudi Arabia in exchange for an expensive watch and hundreds of thousands of dollars.

Twitter also warned that municipal, state and national governments around the world are increasingly asking the company to erase content and reveal private information from user accounts, with the company saying it has responded. about 40% of all user data requests. The company was also fined $150 million by the US federal government for collecting users’ email addresses and phone numbers for security purposes and then using them for marketing purposes.

In a statement, Twitter denied Zatko’s accusations and said he was fired for poor performance and leadership.

The company said CNN in a statement: “What we have seen so far is a false narrative about Twitter and our privacy and data security practices which are riddled with inconsistencies and inaccuracies and lack important context…The allegations of Mr. Zatko and the opportunistic timing appear designed to capture attention and harm Twitter, its customers and its shareholders Security and privacy have long been company-wide priorities at Twitter and will continue to be.

Zatko told the Washington Post that he felt “ethically bound” to report on his findings and that it “is not a light step to take”. The company has underestimated the prevalence of bots on its platforms.

Twitter sued Musk for breaching the contract he signed to buy the tech company, calling his exit strategy a “pattern of hypocrisy”. The lawsuit filed in the US state of Delaware urges the court to order the billionaire to close his deal to buy Twitter, arguing that no financial penalties could repair the damage he caused.

Zatko representatives said CNN he had not been in contact with Musk. Meanwhile, Musk’s attorney, Alex Spiro, said they issued a subpoena to him and “found his release and that of other key employees curious in light of what we have been battling.”

The company is due to go on trial with Musk in Delaware in October.

Read more: MBS crackdown: Saudi mother sentenced to 34 years for tweeting


Comments are closed.