Peiter “Mudge” Zatko, Twitter’s former security chief, says the company misled regulators about its security measures in its whistleblower complaint received by The Washington Post. In his complaint, filed with the Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission, he alleges that the company violated the terms it agreed to in settling a privacy dispute with the FTC in 2011. Twitter, he says, has “extreme, egregious shortcomings” when it comes to defending the site against attackers.
As part of this FTC agreement, Twitter had agreed to implement and monitor safeguards to protect its users. However, Zatko says half of Twitter’s servers are running outdated and vulnerable software and that thousands of employees still have wide-ranging internal access to the company’s core software, which previously led to major breaches. If you’ll recall, bad actors were able to commandeer the accounts of some of the site’s most prominent users in 2020, including Barack Obama and Elon Musk, using employees for their internal systems and tools with a social -Engineering attack targeted.
After that incident, the company hired Zatko, who previously ran a cyberespionage detection program for DARPA, as chief of security. He argues that security should be a bigger concern for the company since it has access to the email addresses and phone numbers of numerous public figures, including dissidents and activists, whose lives could be in danger if they are doped.
The former security chief wrote:
“Twitter is grossly negligent in several areas of information security. Unless these issues are addressed, regulators, media and users of the platform will be shocked to learn of Twitter’s inevitable serious lack of security fundamentals.
Additionally, Zatko has accused Twitter of prioritizing user growth over reducing spam by handing out bonuses tied to increasing the number of daily users. The company does not award bonuses directly related to reducing spam on the site, the complaint said. Zatko also claims that he received no direct response from Twitter regarding the true number of bots on the platform. Twitter has only been counting bots that can see and click ads since 2019, and its SEC reports have consistently kept its bot estimates below 5 percent ever since.
Zatko wanted to know the actual number of bots on the platform, not just the monetizable ones. He cites a source who allegedly said Twitter was cautious about counting the actual number of bots on the site because it would “damage the company’s image and valuation.” In fact, his revelation could feed into Twitter’s legal battle against Elon Musk after the executive began taking steps to back out of his $44 billion acquisition. Musk accused Twitter of cheating for hiding the actual number of fake accounts on the site, revealing that his analysts found a much higher number of bots than Twitter claimed. As The post notes, however, that Zatko has provided limited hard documentary evidence regarding spam and bots, leaving it unclear whether this would help Musk’s case.
When asked why he filed a whistleblower complaint — he is represented by the nonprofit law firm Whistleblower Aid — Zatko replied that as someone working in cybersecurity, he “felt ethically obligated to do so.” However, Twitter spokeswoman Rebecca Hahn denied that the company does not prioritize security. “Security and privacy have long been top company-wide priorities at Twitter,” she said, adding that Zatko’s allegations were “riddled with inaccuracies.” She also said that Twitter fired Zatko after 15 months “for poor performance and leadership” and that he now appears “opportunistically trying to harm Twitter, its customers and its shareholders.”
All products recommended by Engadget are selected by our editorial team, independently of our parent company. Some of our stories contain affiliate links. If you buy something through one of these links, we may receive an affiliate commission.
https://www.engadget.com/twitter-whistleblower-security-holes-115558064.html?src=rss Whistleblower accuses Twitter of being ‘grossly negligent’ towards security