Major headache for Twitter’s board, as its former head of security Peiter ‘Mudge’ Zatko makes explosive allegations about security and management lapses
Twitter is being hit by explosive claims from a whistleblower, namely its former head of security who was fired earlier this year.
Parag Agrawal, who succeeded co-founder Jack Dorsey in November as CEO of Twitter, began making changes that saw the dismissal of chief design officer Dantley Davis and head of engineering Michael Montano.
Then in January the world was informed that Peiter Zatko, Twitter’s head of security, and Rinki Sethi, the chief information security officer, were no longer at company.
Twitter didn’t say whether the departures were voluntary, prompting speculation there were fired.
Both joined the company in November 2020, following a hack that allowed teenagers to tweet from the verified accounts of public figures such as Microsoft co-founder Bill Gates and Tesla chief executive Elon Musk.
Peiter Zatko is a security veteran and is known by the handle “Mudge”.
He is a well-known hacker who has had a long security career since the 1990s working for DARPA, Google and Stripe.
Now Peiter Zatko has turned into a Twitter whistleblower, and exclusively made a number of serious claims against his former employer on Tuesday to CNN and the Washington Post.
Zatko alleged that Twitter has major security problems that pose a threat to its own users’ personal information, to company shareholders, to national security, and to democracy.
Zatko’s disclosures are so serious that last month they were sent last month to Congress and federal agencies.
Zatko had filed his complaint with the Securities and Exchange Commission in July.
So what exactly is Peiter Zatko alleging?
In short, he paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform’s central controls and most sensitive information without adequate oversight.
He also alleges that some of the company’s senior-most executives have been trying to cover up Twitter’s serious vulnerabilities.
He also claims that one or more current employees may be working for a foreign intelligence service.
In February 2020 Twitter warned that it had discovered attempts by ‘state-sponsored actors’ to access the phone numbers associated with user accounts.
These of course are hugely serious allegations.
According to CNN, Zatko further alleges that Twitter’s leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns.
Peiter Zatko also alleges Twitter does not reliably delete users’ data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do.
Meanwhile the whistleblower also says Twitter executives don’t have the resources to fully understand the true number of bots on the platform, and were not motivated to.
That detail could be seized upon by Elon Musk in his legal fight against Twitter over his withdrawal from the $44bn acquisition, over disagreement about numbers of fake and bot accounts on the platform.
CNN reported that Zatko has now been issued by a subpoena by Musk’s legal team.
Following the publication of Zatko’s revelations, Mr Musk tweeted screenshots of The Washington Post’s story, and tweeted an image carrying the phrase “give a little whistle”.
— Elon Musk (@elonmusk) August 23, 2022
Zatko was fired by Twitter in January for what the company alleged was poor performance, CNN reported.
According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter’s board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier privacy agreement with the Federal Trade Commission.
Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen.
“If these allegations against Twitter turn out to be true, they highlight a major security issue within the organisation,” noted Julia O’Toole, CEO of MyCena Security Solutions, a specialist in preventing phising and ransomware attacks.
“According to Zatko, Twitter employees have a free reign over access to account-holder data, which significantly breaches user privacy and also falls foul of regulatory compliance requirements,” said O’Toole.
“By providing employees with unrestricted access to user data, Twitter is essentially losing control over its most valuable asset,” said O’Toole. “Not only does this increase the likelihood of the data being compromised, but it also turns Twitter employees into prime targets for phishing scammers who are looking to steal the data.”
“Organisations must begin to realise that they are responsible for their data and have a duty to keep it safe,” said O’Toole. “However, by allowing employees to create their own passwords and passkeys to access critical data, they are losing that control.”
“No organisation ever allows employees to make their owns keys to access a physical office, yet they allow employees to create their digital keys to access their data, which is undoubtedly their most valuable asset today,” said O’Toole.
“We need to address this vulnerability to truly improve security,” said O’Toole. “One of the best ways is through the implementation of encrypted access. Not only does encryption close doors on malicious attackers, but it also enables proper access segmentation of networks, where employees do not know their own passwords and secret keys so they can’t be stolen or phished from them.”