Twitter’s logging, access and data controls are so poor that they practically invite exploitation by hackers, insider threats, disinformation agents and foreign spies, according to former chief information security officer and whistleblower Peiter “Mudge” Zatko.
In testimony to Congress, Zatko, a well-respected information security professional with a decades-long record of advocating for better security policy in the public and private sectors, said Tuesday that after joining Twitter as its CISO in November 2020 and speaking to engineers and employees, he realized the company was “more than a decade behind industry security standards.”
In particular, Twitter’s data infrastructure is so decentralized that not even leadership knows all the data the company collects or where it’s stored. When he brought those concerns to Twitter’s leadership, he claimed their incentive structure led them to prioritize “profits over security.”
“First, they don’t know what data they have, where it lives, or where it came from and so unsurprisingly, they can’t protect it. That leads to the second problem: employees need to have too much access to too much data on too many systems,” Zatko told the Senate Judiciary Committee.
Additionally, Twitter has repeatedly dealt with foreign governments bribing or enticing employees to hand over user data. In 2019, two employees were charged with acting as illegal foreign agents of Saudi Arabia, passing over sensitive user data on critics and dissidents of the royal family in exchange for money, and Zatko said the company’s also dealt with at least one Chinese foreign agent inside the company.
He also said in his time as CISO, he observed at least one instance where a likely foreign agent from India was placed inside the company to gain access to information related to Twitter’s ongoing negotiations with Indian government officials over requests to ban certain accounts and content. He also recalled routinely seeing Twitter account credentials listed for sale on the dark web.
But the status quo at Twitter and preoccupation of leadership with growth and managing other public crises meant the company “simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”
In the case of the Indian agent, he said he had to task a small internal team to develop the protocols needed to track and monitor just that one individual, a solution that isn’t scalable to Twitter’s larger employee base. The value of such access is so great and easy to gain that he surmised any foreign country not attempting to place agents inside the company wasn’t doing its job.
"From my understanding from people in the [intelligence] community who focus on foreign intelligence organizations and assets, if you placed somebody in Twitter…it would be very difficult for Twitter to find them, they would probably be able to stay there for a long period of time and gain a significant amount of information to provide back on either targeting people or information as to Twitter's decisions and discussions and as to the direction of the company," said Zatko.
When asked what data the company tends to collect on the average user, Zatko cited a user's phone numbers, their latest IP address, other IP addresses, their current email, prior emails, where they think the user lives, where they are currently connecting from, what language they speak, the type of device are they connected with, their web browser, and possibly their type of computer.
Twitter executives have denied Zatko's claims, and after his whistleblower complaint was made public, a company spokesperson said he was fired in January for "ineffective leadership and poor performance." According to the Wall Street Journal, the company paid Zatko $7 million in a settlement prior to his submission of the complaint. Questions and a request for comment sent to Twitter's press office were not immediately returned.
Committee chair Dick Durbin, D-Ill., made the case that Twitter’s infrastructure is too important to leave user data unsecured, likening it to customers giving their money to a bank who then leaves the vault “wide open.” He referenced a widely reported 2020 incident where two young hackers spear phished Twitter employees over the phone, posing as IT support to gain administrative access that allowed them to take over a number of high-profile accounts, including then-presidential candidate Joe Biden, former President Barack Obama, Elon Musk, Michael Bloomberg and others.
The potential for damage, Durbin argued, could have been far greater.
“We’ve already seen what can happen when small-time hackers break into Twitter accounts belonging to government officials, but what if next time it isn’t two teenagers trying to pull a crypto scam?” said Durbin. “Imagine if it’s a malicious hacker or a hostile foreign government breaking into the President’s twitter account, or sending out false information claiming there as a terrorist attack on one of our cities? We could see widespread panic.”
The failure to safeguard user information was already the subject of a 2011 consent decree the company agreed to with the Federal Trade Commission. However, Zatko said that FTC enforcement (usually in the form of one time fines) are viewed as toothless compared to regulation from other countries, like France, and his testimony indicated that the company hasn’t introduced the necessary safeguards to prevent a similar attack from succeeding in the future.
“It’s not far-fetched to say that an employee at the company could take over the accounts of all of the senators in this room,” he said. “Given the real harm to users and national security I determined it was necessary to take on the professional and personal risk to myself and my family of becoming a whistleblower.”