Twitter has ‘extreme deficiencies’ that are a risk to national security, whistleblower claims

Twitter’s board has been covering up its ‘extreme, egregious deficiencies’ that make it a huge risk to national security and democracy, and executives have no idea how many bots are on the platform, a whistleblower has claimed.

‘Ethical hacker’ Peiter ‘Mudge’ Zatko, the social media firm’s former head of security, made the bombshell disclosure to Congress and federal agencies last month.

He claimed the tech giant is completely mismanaged with thousands of staff given access to central controls and the most sensitive information without adequate oversight, CNN and the Washington Post reported. 

Zatko, who reported directly to CEO Jack Dorsey and his replacement Parag Agrawal, said senior executives have been covering up the platform’s biggest vulnerabilities, and even claimed one or multiple employees could be working as a spy for foreign intelligence services.

The whistleblower said bosses have misled the board and regulators about its security flaws that have made it susceptible to hacking, manipulation and disinformation.

In claims that will bolster Elon Musk’s legal bid, Zatko also said Twitter chiefs do not have the resources to know how many bots are on the site.

Peiter ‘Mudge’ Zatko (pictured yesterday), the social media firm’s former head of security, made the bombshell disclosure to Congress and federal agencies last month

Zatko, whose hacker alias is Mudge, is pictured testifying before the Senate Governmental Affairs hearing on government computer security in 1998

The Tesla CEO claimed the platform has not been truthful about the number of bots and fake accounts among its 238 million daily active users, and subsequently backed out of his $44billion takeover deal.

Zatko, who previously worked at Google and the Department of Defense, also alleged that Twitter does not reliably delete user data after an account is cancelled, often because staff have lost track of it.

The disclosure describes his overall findings as ‘egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.’ 

His colorful career began in the 1990s, when he simultaneously conducted classified work for a government contractor and was among the leaders of Cult of the Dead Cow, a hacking group notorious for releasing Windows hacking tools in order to goad Microsoft into improving security. 

He was appointed to Twitter to recommend changes in structure and practices to bolster its security after a series of damaging compromises that saw users including Barack Obama, Joe Biden and Elon Musk hacked.

He said at the time  he will examine ‘information security, site integrity, physical security, platform integrity – which starts to touch on abuse and manipulation of the platform – and engineering.’ 

But he was fired in January for what the company claimed was poor performance but what he said was retaliation.

The tech wizard said he tried to flag the security lapses to the board before he went public. 

According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey (pictured) in November

Twitter told CNN: ‘Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. 

‘While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. 

‘Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.’

According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey in November.

He claimed Agrawal and his staff constantly discouraged him from giving a full account of the security problems to the board, instead instructing him to give an oral report on his findings.

The whistleblower also said he was ordered to present cherry-picked data to give a false impression of progress and then they went behind his back to scrub a consulting firm’s report and hide the extent of the problems.

Zatko claimed Dorsey was more amenable to his recommendations than Agrawal but he became less engaged in his final months at the tech giant.

Some staff even thought Dorsey was ill because he became so distanced and uninterested in the company, Zatko said. 

The disclosure of more than 200 pages was sent to the Securities and Exchange Commission, the Federal Trade Commission, the Senate Intelligence Committee and the Department of Justice last month.

Zatko claimed Agrawal (pictured last month) and his staff constantly discouraged him from giving a full account of the security problems to the board

A copy has now been seen by CNN after it was passed on by a senior Democratic aide. 

Zatko’s concerns at Twitter grew after the January 6 Capitol riots when he feared a sympathizer within the company could manipulate the platform on what is known as the ‘production environment’.

But he says he soon learned ‘it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.’

He added that Twitter could not hold individual workers accountable because it has no control or visibility into their computers, claiming four out of ten devices do not meet basic security standards. 

The company said its engineering and product teams can access the production environment if they have a business justification for doing so.

Aside from the staffing security concerns, Zatko also feared its server infrastructure made Twitter vulnerable.

He said half of its 500,000 servers use outdated software that do not support encryption for stored data or regular security updates.

Its inadequate recovery procedures from data center crashes also mean that minor outages could knock Twitter offline for good, he claims.

The tech firm said automatic checks are in place to ensure laptops running outdates software cannot access the production environment and record-keeping and review requirements are in place for any changes to the live product.

WHO IS THE HACKER, MUDGE? 

Mudge testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time

Mudge is a famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes.

Peiter Zatko, known in the hacker world as Mudge, was the best-known member of pioneering Boston hacking group the L0pht as well as the long-lived computer and culture hacking cooperative the Cult of the Dead Cow.

More recently, he headed a Defense Department grant program for computer security projects.   

While involved with the L0pht, Mudge contributed significantly to disclosure and education on information and security vulnerabilities. 

In 2010 Mudge accepted a position as a program manager at Defense Advanced Research Projects Agency (DARPA) a government agency where he oversaw cyber security research.

In 2013 Mudge went to work for Google in their Advanced Technology & Projects division.

Born in December 1970, Mudge graduated from the Berklee College of Music at the top of his class and is an adept guitar player.

Mudge was responsible for early research into a type of security vulnerability known as the buffer overflow. 

Mudge was one of the first people from the hacker community to reach out and build relationships with government and industry. In demand as a public speaker, he spoke at hacker conferences such as DEF CON and academic conferences such as USENIX.

He was one of the seven L0pht members who testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time.

In 2000, after the first crippling Internet distributed denial-of-service attacks, he was invited to meet with President Bill Clinton at a security summit alongside cabinet members and industry executives.

In 2004 he became a division scientist at government contractor BBN Technologies, where he originally worked in the 1990s, and also joined the technical advisory board of NFR Security.

In 2010, it was announced that he would be project manager of a DARPA project focused on directing research in cyber security

In 2013 he announced that he would leave DARPA for a position at Google ATAP.

In 2015 Zatko announced on Twitter he would join a project called #CyberUL, a testing organisation for computer security inspired by Underwriters Laboratories, mandated by the White House.

Advertisement