singing blue bird

Twitter security under scrutiny after former executive turns whistleblower

A former Twitter executive has acted as a whistleblower and alleged some serious problems. Provided these accusations are true, the disclosure shows a side of Twitter that poses a threat to its own users’ personal information, to company shareholders, to national security, and to democracy.

Otherwise known as Mudge, Peiter Zatko is a network security expert, open source programmer, writer, and a hacker. His most recent position was as head of security at Twitter, reporting directly to the CEO. He was the most prominent member of the high-profile hacker think tank the L0pht, as well as the computer and culture hacking cooperative the Cult of the Dead Cow. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.

Zatko was fired by Twitter in January for what the company claims was poor performance.

“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance.”

Major problems

The 2020 Twitter hack was one of the main reasons for Twitter to hire Zatko, who previously held senior roles at Google, Stripe, and the US Department of Defense. When Zatko arrived at Twitter, he said he found a company with extraordinarily poor security practices, including giving thousands of the company’s employees — amounting to roughly half the company’s workforce — access to some of the platform’s critical controls. His disclosure describes his overall findings as “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”

According to Zatko, “it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.”

Infrastructure

Twitter’s flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company’s 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors. Zatko’s letter to a Twitter board member about that issue is included in the disclosure.

The disclosure also claims that Twitter lacks sufficient redundancies and procedures to restart or recover from data center crashes, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline.

FTC

In 2010, the Federal Trade Commission (FTC) filed a complaint against Twitter for its mishandling of users’ private information and the issue of too many employees having access to Twitter’s central controls. Zatko alleges that despite the company’s claims to the contrary, it has never been in compliance with what the FTC demanded over ten years ago.

Elon Musk

After recent events, whenever Twitter is mentioned, the name of Elon Musk comes up as well. Musk, who is engaged in a legal battle with Twitter over his attempt to back out of buying the company,  claims that the number of bots on the platform affect the user experience and that having more bots than previously known could therefore impact the company’s long-term value.

According to Zatko’s disclosure, Twitter’s CEO Parag Agrawal tweeted false and misleading statements about Twitter’s handling of bots on the platform. In fact, he stated, deliberate ignorance was the norm amongst the executive leadership team. The reason is simple to understand, a social platform’s value is based on the number of active users, since that is the potential audience for advertising on the platform. Twitter uses a unique metric called monetizable daily active users (mDAU’s) which it says counts all users that could be shown an advertisement on Twitter.

The company has repeatedly said that less than 5% of its mDAUs are fake or spam accounts. But Zatko’s disclosure argues that by reporting bots only as a percentage of mDAU, rather than as a percentage of the total number of accounts on the platform, Twitter obscures the true scale of fake and spam accounts on the service, a move Zatko alleges is deliberately misleading.

Foreign influence

According to the disclosure, Twitter is exceptionally vulnerable to foreign government exploitation in ways that undermine US national security, and the company may even have foreign spies currently on its payroll.

Last year, prior to Russia’s invasion of Ukraine, Agrawal — then Twitter’s chief technology officer — proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance of the platform, Zatko alleges. While Agrawal’s suggestion was ultimately discarded, it was still an alarming sign of how far Twitter was willing to go in pursuit of growth, according to Zatko.

Zatko’s report is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia.

Motivation

By going public, Zatko says, he believes he is doing the job he was hired to do for a platform he says is critical to democracy.

“Jack Dorsey reached out and asked me to come and perform a critical task at Twitter. I signed on to do it and believe I’m still performing that mission.”

Zatko may be eligible for a monetary award from the US government as a result of his whistleblower activities. Original, timely and credible information that leads to a successful enforcement action by the Securities and Exchange Commision (SEC) can earn whistleblowers up to a 30% cut of agency fines related to the action if the penalties amount to more than $1 million, the SEC has said.

The prospect of a reward was not a factor in Zatko’s decision, he said, and in fact he claims he didn’t even know about the reward program when he decided to become a lawful whistleblower.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.