Twitter whistleblower says site put growth over security

"It doesn't matter who has keys if there are no locks," said Peter 'Mudge' Zatko

Image:
"It doesn't matter who has keys if there are no locks," said Peter 'Mudge' Zatko

And there is at least one Chinese agent at the company

Peter 'Mudge' Zatko, Twitter's former security lead, has alleged that the social media site puts users' safety and the security of the country at risk by prioritising growth over correcting "egregious" security flaws.

Zatko served as Twitter's chief of security from November 2020 until his firing in January 2022. In July, he filed a whistleblower complaint with the US Congress, the Justice Department, the Federal Trade Commission (FTC), and the Securities and Exchange Commission (SEC), and is now testifying before the Senate Judiciary Committee.

Zatko's says he found severe, egregious violations in every area of his mandate, including user privacy; physical and digital security; and platform integrity/content moderation.

He further claimed that many employees could access Twitter's core controls and certain sensitive information, and that vulnerabilities in the platform could allow foreign snooping, manipulation, or hacking.

"Twitter is misleading the public, lawmakers and regulators," Zatko told the Senate Judiciary Committee on Tuesday.

He said the situation is a "ticking bomb of security vulnerabilities" and that the platform is almost a decade behind the industry's best standard.

"This is a big deal for all of us. They don't know what data they have, where it lives and where it came from and so, unsurprisingly, they can't protect it. It doesn't matter who has keys if there are no locks," Zatko said.

He also claimed that Twitter was employing at least one Chinese agent, telling the Committee that the FBI had issued a warning on the matter.

"I had been told because the corporate security physical security team had been contacted and told that there was at least one agent of the MSS, which is one of China's intelligence services, on the payroll inside Twitter," Zatko told US lawmakers.

He said he reported the issue to an executive and was told "What does it matter if we have more [foreign agents]?"

The Judiciary Committee's chairman, Illinois Democrat Senator Dick Durbin, said Zatko has revealed security weaknesses that may directly threaten Twitter's hundreds of millions of users, as well as American democracy.

"Twitter is an immensely powerful platform and can't afford gaping vulnerabilities," he said. "Imagine if it's a malicious hacker or a hostile foreign government breaking into the Presidents' Twitter account, sending out false information, claiming there was a terrorist attack on one of our citizens? We could see widespread panic."

The Committee's leaders criticised Twitter for alleged security lapses in a letter [pdf] sent to CEO Parag Agrawal on Monday.

"We write regarding recent allegations that Twitter has turned a blind eye to foreign intelligence infiltration, does not adequately protect user data, and has provided misleading or inaccurate information about its security practices to government agencies," Judiciary Committee Chair Richard Durbin (D-Ill.) and ranking member Charles Grassley (R-Iowa) wrote.

Durbin and Grassley requested that Agrawal respond to a series of questions by 26th September.

Twitter has refuted Zatko's claims, claiming that they are uncorroborated.

The company referred to the account of the events that Zatko has provided as "a fake narrative... riddled with inconsistencies and inaccuracies" and missing important context.

Allegations have implications for Musk buyout

Zatko's complaint is relevant in Twitter's ongoing legal battle with billionaire Elon Musk. The microblogging platform is seeking to persuade Musk to stick to his promise to pay $44 billion for the company, after he attempted to back out of the contract in July.

Musk's lawyers told the SEC their client was pulling out because Twitter was 'in material breach of multiple provisions' of the agreement. The legal team has served subpoenas on Zatko and former Twitter CEO Jack Dorsey in advance of the trial date of 17th October.

In the latest turn of events over the prolonged acquisition process, Twitter shareholders this week voted to approve Elon Musk's bid to purchase the firm for $44 billion.

Not only does the approval imply that Twitter can go ahead with the deal, it also means Twitter can move forward with a lawsuit demanding Musk fulfil his obligations to acquire the firm.

The trial is expected to get underway in October in the Delaware Court of Chancery.