Alleged Twitter security failings spell trouble ahead

A series of damning allegations concerning the state of Twitter’s cyber security practices and policies could spell trouble ahead for the social media platform, raising the possibility of investigations and sanctions from regulatory authorities and governments.

The bombshell disclosures were made in a filing to the US Securities and Exchange Commission (SEC) that runs to over 80 pages, copies of which were obtained by CNN and The Washington Post.

The whistleblower, Peiter “Mudge” Zatko, was formerly Twitter’s head of security and reported to the CEO, Parag Agrawal. Zatko is a well-known ethical hacker and a prominent figure in the cyber security community, having played a pivotal role in much of the sector’s early development as a member of groups including L0pht and Cult of the Dead Cow.

He joined Twitter under the tenure of Agrawal’s predecessor, founder Jack Dorsey, to help address the platform’s security problems following a 2020 cyber attack that saw cryptocurrency scammers gain access to prominent accounts, including those of Jeff Bezos, Bill Gates and Elon Musk, but his employment was terminated in early 2022.

Zatko claims he is breaking his silence now after having unsuccessfully tried to get Twitter to fix its problems. He said he was obstructed and discouraged from presenting accurate information to the organisation’s board of directors by Agrawal and others.

In the disclosure, which was also sent to the US Congress and other agencies of the US federal government in July, Zatko described an organisation riddled with bad security practices and mismanagement, one that allowed far too many insiders unfettered access to critical data and platform features.

Zatko accused Twitter of attempting to cover up a litany of serious vulnerabilities, misleading its board and regulators, and effectively leaving the door open to malicious interference from cyber criminals and nation-state intelligence services. Indeed, he suggested, there may currently be hostile spies on its payroll.

He went on to claim that the platform had been misleading users who have cancelled their accounts into believing their data had been deleted, when this was not necessarily the case.

From a technical point of view, Zatko further alleged that Twitter still runs on ageing, outdated server infrastructure that lacks adequate protections and is rarely patched, and has substandard protection and procedures in place to recover datacentres from unplanned outages.

He also said the organisation had failed to get to grips with the number of bots using the platform and was not particularly motivated to do so. This matter was a decisive factor in Elon Musk’s withdrawal from his bid to buy Twitter, which is now the subject of legal action.

Responding to Zatko’s allegations in a widely circulated statement, Twitter said Zatko was fired in January 2022 for “ineffective leadership and poor performance”.

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” said a spokesperson.

“Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

In a notice to staffers shared via Twitter itself, Agrawal echoed this statement, adding: “We will pursue all paths to defend our integrity as a company and set the record straight.”

US senators Dick Durbin of Illinois and Chuck Grassley of Iowa, who sit on the Senate Judiciary Committee and were copied into the report, said Zatko’s allegations warranted further investigation to get to the bottom of the matter.

Grassley told CNN that the combination of massive amounts of data, weak security infrastructure and vulnerability to hostile nation-state actors was a “recipe for disaster”. He said Zatko’s claims raised serious national security concerns for the US.

“I’ve known Mudge [Peiter Zatko] since his days at Cult of the Dead Cow. He has always had the highest level of integrity and adheres to the highest technical standards of development and operation of systems. If Mudge says Twitter has cyber security problems, Twitter has some big problems”

A third senator, Richard Blumenthal of Connecticut, said he had written to the Federal Trade Commission (FTC) urging it to investigate. The FTC previously investigated Twitter over allegations that it misled consumers over the security of its service, and in 2011 reached a settlement with the firm in which it was barred from “misleading consumers about the extent to which it protects the security, privacy and confidentiality of non-public consumer information”. Zatko’s complaint would seem to suggest Twitter has breached this settlement.

Meanwhile, security community members also came to Zatko’s defence and pushed back against Twitter’s rebuttals. Among them was Aaron Turner, chief technology officer (CTO) for software-as-a-service (SaaS) products at threat detection specialist Vectra.

“I’ve known Mudge since his days at Cult of the Dead Cow,” said Turner. “When I was at Microsoft, he and the Stake team helped us fundamentally improve our security strategy and tactics. As I’ve worked across government projects over the last 20 years, I would say that his work at Darpa made a significant difference in the way the US government approached cyber security.

“He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cyber security problems, Twitter has some big problems.”

Turner, who coordinated research into the 2020 crypto scam incident at Twitter, said he himself had come to the conclusion that Twitter did not have appropriate privileged user management controls, or separation of duty policies for developers and systems administrators.

“If Mudge’s disclosure is correct – that Twitter has a significant system hygiene problem combined with the user management controls and policies – then Twitter’s entire platform is at risk of compromise,” he added.

Daniel Thanos, vice-president of research and development at Arctic Wolf, also spoke in support of Zatko, saying: “Mudge is a highly trusted and respected leader in the cyber security community and his comments should not be taken lightly.”

According to Thanos, the Twitter allegations showcase a similar pattern seen with other social media companies battling their security and privacy demons. Unfortunately, he said, there are too many instances where social media companies brush these issues under the carpet and fail to address them transparently.

“All of these events have proven that self-policing isn’t going to work any more,” he said. “These social media entities are behaving as publishers now, which requires a high level of public trust. With that comes certain security and transparency responsibilities that are clearly not being met.

“Twitter has the same insider threats as many other companies. Since it has become a vital source of information, it must make sure its internal security controls maintain the highest level of security and privacy. This is absolutely fundamental due to the trust users are placing in it.”

Ed Hunter, chief information security officer (CISO) at cloud security firm Infoblox, added: “These organisations are often faced with balancing an expanded security apparatus and a scalable revenue-generating product. Many of the shortcomings are readily addressable through various integrated security technologies that grow with the revenue-generating production environment, including visibility of all assets on the network and where they’re communicating.”

But such issues are not just confined to the social media sphere. As any regular observer of the cyber security news cycle will be keenly aware, a lack of basic security hygiene, and even wilful neglect of best practice, is all too common.

For example, Julia O’Toole, CEO of access management specialist MyCena, said some of Zatko’s allegations should prompt others to realise that they are badly out of step when it comes to data protection. “Organisations must begin to realise that they are responsible for their data and have a duty to keep it safe. However, by allowing employees to create their own passwords and passkeys to access critical data, they are losing that control,” she said.

“No organisation ever allows employees to make their own keys to access a physical office, yet they allow employees to create digital keys to access their data, which is undoubtedly their most valuable asset today. We need to address this vulnerability to truly improve security.”

Thanos said the incident also showed how important it was for security leaders at any organisation to have an open and honest reporting and governance relationship with the board that internal stakeholders cannot compromise. He said Zatko’s allegations of interference on the part of senior Twitter figures should give everyone cause for concern.

“Mudge was hired to do a job by the previous CEO on this issue and on the insider threat problem, but the patterns of interference that many transformational CISOs face seem to have all been exhibited here,” he said. “Anyone who cares about the mission we are on as a security community will want to see Mudge prevail for the good of the entire industry.”