Peiter “Mudge” Zatko tells Senate panel of ‘egregious’ security failings at Twitter, and warns of multiple breaches by intelligence agencies
The former head of security at Twitter testified on Tuesday in front of the US Congress, and reiterated very serious and highly damaging claims against his former employer.
Peiter “Mudge” Zatko and Rinki Sethi, had joined the platform in November 2020, after a hack that had allowed teenagers to tweet from the verified accounts of public figures such as Microsoft co-founder Bill Gates and Tesla boss Elon Musk.
Zatko and Sethi (Twitter’s former chief information security officer) were fired by CEO Parag Agrawal earlier this year.
Twitter alleged that Zatko had been fired for “ineffective leadership and poor performance,” but Zatko maintained he was fired in retaliation for concerns he was raising about security vulnerabilities.
Last week it was revealed that Twitter had agreed to pay Zatko roughly $7 million in relation to Zatko’s lost compensation – a fact that Elon Musk tried to use in his third attempt to walk away from his $44 billion deal for the company.
However days after his financial settlement with Twitter, Zatko filed his explosive whistleblower complaint in July with the US Congress, the US Justice department, the Federal Trade Commission and the Securities and Exchange Commission.
In his complaint, Zatko warned that Twitter was vulnerable to foreign influence and painted a picture of a chaotic and reckless environment at a mismanaged company that allowed too many of its staff access to the platform’s central controls and most sensitive information, without adequate oversight.
Zatko also alleged that some of the company’s senior-most executives had been trying to cover up Twitter’s serious vulnerabilities, and he also accused the firm of making misleading statements about its defences against hackers and spam accounts.
Zatko also alleged that Twitter deployed ‘mostly outdated, unmonitored simple scripts plus overworked, inefficient, understaffed and reactive human teams’ to detect bot accounts.
Zatko also took aim at a tweet made by CEO Agrawal back in May that said Twitter was ‘strongly incentivised to detect and remove as much spam as we possibly can.’
He also claimed that one or more current employees at Twitter may be working for a foreign intelligence service.
This week Twitter shareholders voted overwhelmingly in favour of Musk’s takeover deal of Twitter, after a preliminary count indicated that 98.6 percent of the votes cast were in favour of Musk’s deal.
Meanwhile Zatko made his scheduled appearance before the Senate Judiciary Committee on Tuesday.
Zatko reiterated a lot of his previous claims about Twitter, alleging Twitter’s failures made the platform vulnerable to exploitation, including by foreign agents.
Zatko said in his two years at the company, he witnessed “extreme, egregious deficiencies by Twitter in every area of his mandate”, the Guardian reported.
“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko said as he began his sworn testimony. “They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.”
Zatko alleged that Twitter misled regulators and the public about its safety practices.
At the hearing on Tuesday, he detailed those claims, saying that Twitter runs out-of-date and vulnerable software on more than half of its data centre servers. According to the Guardian, he summarised concerns into two main categories: the company does not know enough about its own data, and employees have too much access to data.
“It’s not an exaggeration that any employee could take over the accounts of any senator in this room,” he was quoted by the Guardian as saying.
Foreign intelligence breaches
Zatko also alleged that Twitter was breached by foreign intelligence agencies in “multiple episodes”.
He claimed that Twitter knowingly allowed the government of India to place its agents on the company payroll, adding he spoke with “high confidence” about a foreign agent placed by the Indian government to “understand the negotiations” between India’s ruling party and Twitter about new social media restrictions.
In February 2020 Twitter warned that it had discovered attempts by ‘state-sponsored actors’ to access the phone numbers associated with user accounts.
Then last month, a US court convicted a former Twitter manager (Ahmad Abouammo, a dual US-Lebanese citizen) of spying for Saudi Arabia on six criminal counts.
Responding to questions from Republican Senator Chuck Grassley of Iowa about reports that the FBI had warned that the company had inadvertently employed at least one member of China’s state security ministry, Zatko said Twitter “lacks the fundamental abilities to hunt for foreign intelligence agencies and expel them on its own”.
Grassley said Zatko’s allegations paint a “picture of a company that is solely focused on profit at any expense.” He added: “Twitter has a responsibility to make sure that data is protected and doesn’t fall into the hands of foreign powers.”
According to the Guardian, Zatko also alleged foreign agents at the company would have access to large swaths of user data, and said that when he once alerted Twitter about a foreign agent, he was dismissed: “Since we already have one, what is the problem if we have more?” he says he was told.
A Twitter spokesperson disputed Zatko’s testimony and told CNBC that the company uses access controls, background checks and monitoring and detection systems to control access to data.
“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the spokesperson said in a statement, adding that the company’s hiring is independent from foreign influence.