Twitter’s former head of security has blown the whistle on what he characterizes as sprawling cybersecurity weaknesses, including vulnerabilities that could lay the social media platform open to cyberattacks that could have major national-security implications.
That’s the allegation from Peiter “Mudge” Zatko, who sent a 200+-page disclosure to Congress detailing issues that he claims could allow foreign manipulation of users, account hacking and espionage, and disinformation campaigns ahead of the 2022 US midterm elections.
The disclosure, obtained exclusively by CNN and The Washington Post, most explosively alleges that the tech giant has one or more employees that are actually plants working for foreign intelligence, and that top execs have actively engaged in a cover-up of Twitter’s serious security holes.
Zatko, who has a decades-long history and reputation in the ethical hacking space, laid out an internal scene where mismanagement and a lack of cohesive security oversight allows over-permissioned access to the company’s most sensitive information and control platforms, while bots (disinformation-focused and otherwise) run amok and corporate leadership looks the other way. To boot, Zatko said that Twitter CEO Parag Agrawal told him to make his reports on Twitter’s security problems rosier than they deserved to be, and that he was directed to omit damning data in order for the company to appear to be making progress on the security and privacy fronts.
When it comes to privacy, Zatko also alleged that Twitter does not steward user information well, often losing track of it or not deleting data when it’s required to do so (such as when a user cancels an account).
The allegations certainly fall in the “bombshell” category, but some in the security community are unsurprised by the claims, especially given the infamous compromise of verified accounts in 2020 by an attacker who was able to access Twitter’s internal control platforms.
“From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems,” says Aaron Turner, chief technology officer of SaaS Protect at Vectra. “If Mudge’s disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise.”
For its part, Twitter denies the allegations and claims Zatko should be discredited given that he was fired in January for “poor performance.”
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” a Twitter spokesperson told CNN. “Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Agrawal weighed in on Tuesday, saying in a corporate memo posted on Twitter that the company is reviewing the claims. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” he wrote.
Lawmakers, Cybersecurity Community React
Where the truth lies could come to light sooner rather than later, given that Zatko’s report has gotten the attention of lawmakers on both sides of the aisle. Senate Judiciary Chair Sen. Dick Durbin (D-Ill.) said that he will “take further steps as needed to get to the bottom of these alarming allegations. …The claims I’ve received from a Twitter whistleblower raise serious national security concerns.”
Sen. Chuck Grassley (R-Iowa), ranking member of the Judiciary Committee, told CNN that the allegations should raise very loud alarm bells.
“Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and you’ve got a recipe for disaster,” he said. “The claims I’ve received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”
Casey Ellis, founder and CTO at Bugcrowd, said the scrutiny will hopefully prompt a larger discussion around how much oversight, scrutiny, and regulation that social media platforms should have.
“I can’t speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the critical infrastructure characteristics of social media platforms and the implications this has on security and privacy — especially as the US approaches midterms and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms wish to avoid, but it is a conversation we need to have.”
Meanwhile, members of the cybersecurity community have rallied around Zatko, pointing to his character and track record for integrity.
“Mudge has a long and rock-solid reputation of putting integrity first. He’s also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do it’s almost certainly worth paying attention to,” Ellis tells Dark Reading. “This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the way the infosec community has closed ranks around Mudge this morning, others clearly feel the same way. Infosec doesn’t suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves.”
Turner echoes those sentiments.
“I’ve known Mudge since his days at Cult of the Dead Cow,” says Turner. “When I was at Microsoft, he and the @stake team helped us fundamentally improve our security strategy and tactics. As I’ve worked across government projects over the last 20 years, I would say that his work at DARPA made a significant difference in the way that the US government approached cybersecurity. He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems.”
Twitter did not immediately respond to a request for comment from Dark Reading on the allegations.