Twitter is plagued by “extreme, egregious” cybersecurity vulnerabilities that pose a threat to national security and democracy, the social media company’s former security chief alleges.
What You Need To Know
- Twitter is plagued by “extreme, egregious” cybersecurity vulnerabilities that pose a threat to national security and democracy, the social media company’s former security chief alleges.
- In a whistleblower complaint, Peiter Zatko claims nearly half of Twitter’s employees have access to critical company software, making the platform more susceptible to hacks, according to reports
- Zatko alleges, according to the media reports, that Twitter has failed to properly protect the sensitive personal data of its 238 million daily users and made false statements to the FTC
- In a statement to Spectrum News on Tuesday morning, a Twitter spokesperson painted Zatko as a bitter former employee making untrue claims
In a whistleblower complaint, Peiter Zatko claims nearly half of Twitter’s employees have access to critical company software, making the platform more susceptible to hacks, according to The Washington Post and CNN, which obtained redacted copies of the 84-page disclosure.
Zatko alleges, according to the media reports, that Twitter has failed to properly protect the sensitive personal data of its 238 million daily users — who include government agencies, heads of state and dissidents. He also says the company violated a settlement with the Federal Trade Commission by falsely insisting it had a solid security plan and that CEO Parag Agrawal lied in a May tweet about the company being “strongly incentivized to detect and remove as much spam as we possibly can.”
The complaint was filed last month with the Securities and Exchange Commission, Department of Justice and FTC, and it has been shared with a number of congressional committees, according to the reports.
In an interview with CNN that aired Tuesday, Zatko said he is speaking out because “I just want to make the world a better place, a safer place.”
“I think Twitter is a critical resource to the entire world,” he said. “I think it’s an extremely important platform.
“Your whole perception of the world is made from what you are seeing, reading and consuming online,” Zatko added. “And if you don’t have an understanding of what’s real, what’s not, yeah, I think this is pretty scary.”
On the allegation of employees having broad access to Twitter’s core controls, Zatko compared it to an airliner in which every passenger and crew member have access to the cockpit control. “It’s too easy to accidentally or intentionally turn an engine off,” he said.
The former executive also says in his complaint that he believes the Indian government forced Twitter to put one of its agents on the payroll, giving them access to user data at a time of intense protests in the country. Earlier this month, a former Twitter employee was convicted of spying for the Saudi Arabian government by sharing personal information about dissidents who used the platform.
Zatko says Twitter fired him in January for raising his security concerns internally.
In a statement to Spectrum News on Tuesday morning, a Twitter spokesperson painted Zatko as a disgruntled former employee making untrue claims.
“Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance,” the spokesperson said. “What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Attorney John Tye — whose group, Whistleblower Aid, is representing Zatko — insisted the former Twitter executive is not speaking out to exact revenge over his losing his job.
“This is not any kind of personal issue for him,” Tye told CNN. “He was eventually fired in January of this year, but he hasn’t given up on trying to do that job.”
Zatko and Tye told the network they could, under the terms of the lawful whistleblower disclosure process, only speak generally about the allegations.
Tye said he and Zatko “are in touch with the law enforcement agencies. They’re taking this seriously.”
Sen. Dick Durbin, D-Ill., chairman of the Senate Judiciary Committee, said Tuesday the panel is investigating Zatko’s claims.
“The whistleblower’s allegations of widespread security failures at Twitter, willful misrepresentations by top executives to government agencies, and penetration of the company by foreign intelligence raise serious concerns,” Durbin tweeted. “If these claims are accurate, they may show dangerous data privacy & security risks for Twitter users around the world.”
Twitter hired Zatko, a renowned hacker widely known by his handle “Mudge,” in late 2020, a few months after a group of young hackers tricked employees into giving it access to internal tools that allowed them to tweet from the accounts of notable figures such as then-presidential candidate Joe Biden, Tesla CEO Elon Musk and Microsoft co-founder Bill Gates.
Zatko also alleges in his complaint that Twitter has been misleading about how many fake accounts and bots are on its platform.
That issue is at the heart of Musk’s attempt to back out of a $44 billion deal to purchase Twitter and the social media giant’s lawsuit to force the sale.
Alex Spiro, an attorney representing Musk, told The Washington Post his firm has “already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding.”
Tye denied that the timing of Zatko’s whistleblower complaint had anything to do with the Musk case.
The Justice Department and FCC did not immediately respond to emails from Spectrum News seeking comment. The FTC and SEC declined to comment.
