What are Twitter's 'extreme, egregious' security problems?

What are Twitter’s ‘egregious’ security problems? Experts explain how flaws outlined in whistleblower’s report could be ‘extremely damaging’ to national security and personal data

  • Twitter’s former employee made a disclosure to Congress and federal agencies
  • He tells of ‘egregious deficiencies, willful ignorance and negligence’ at Twitter
  • Some of these malpractices compromise national security and personal privacy

An ex-Twitter employee has blasted the platform for an alleged litany of poor practices, inefficiencies and lies that could risk personal data and even US security.

Peiter ‘Mudge’ Zatko, the social media firm’s former head of security, has said that Twitter’s board has been covering up ‘extreme’ and ‘egregious’ deficiencies. 

These include refusing to cull the platform of bots, not deleting user data when it should, and misleading the Federal Trade Commission (FTC).  

Zatko’s disclosure describes ‘egregious deficiencies, negligence, willful ignorance and threats to national security and democracy’ at Twitter. 

He made the 200-page disclosure to Congress and federal agencies last month, which was obtained by CNN and The Washington Post and revealed on Tuesday. 

Twitter has come back with the claim that Zatko was fired in January 2022 for ‘ineffective leadership and poor performance’. 

MailOnline has spoken to experts to see exactly how Twitter’s alleged deficiencies make the platform a risk to personal privacy and national security. 

Peiter ‘Mudge’ Zatko (pictured yesterday), the social media firm’s former head of security, made the bombshell disclosure to Congress and federal agencies last month

Zatko said Twitter’s board had been covering up its ‘extreme, egregious deficiencies’

TWITTER BOTS

Zatko has said Twitter executives don’t have the resources to figure out how many bots – automated Twitter accounts controlled by bot software – are on the platform.

Twitter says around 5 per cent of accounts are bot accounts, but Zatko suggests it’s likely much more than that.

WHAT ARE TWITTER BOTS? 

Twitter bots, also known as zombies, are automated Twitter accounts controlled by bot software. 

While they are programmed to perform tasks that resemble those of everyday Twitter users – such as liking tweets and following other users – their purpose is to tweet and retweet content on a large scale. 

Twitter bots can do nefarious things like trolling and propagating misinformation for purposes that include spinning elections, inciting panic, and spreading malware.

Source: Norton 

While a Twitter employee, he was allegedly told by the ‘head of site integrity’ that the company actually didn’t know how many Twitter bots there are, CNN revealed. 

There was reportedly no desire to properly measure the number of bots because if the true number became public it could harm the company’s value and image. 

Staff at Twitter – which has 238 million daily users – have also allegedly been incentivised with bonuses of up to $10 million to increase daily user numbers, but done nothing to remove bots. 

Jake Moore, a security advisor at ESET, told MailOnline that Twitter bot accounts can be ‘extremely damaging’ for disinformation. 

‘Bots can alter the narrative of information online rapidly plus they have the ability to change peoples minds and perceptions of situations,’ he said. 

‘They are used often to drive misinformation which can have damaging social consequences.

‘When you delete an account your data often stays on the servers of the platform and this data may be stored, analysed or sold at any time. 

‘Free platforms usually profit from their user’s data and this can harm user’s privacy and even security now and in the future.’  

The issue of Twitter’s bots has become central to billionaire Elon Musk’s now stalled takeover of the platform, which is heading for trial in the US in October.

Twitter is looking to force through the £37.4 billion deal after Musk backed out, claiming that Twitter had been misleading about the number fake accounts. 

Elon Musk (pictured) is engaged in a bitter legal battle over his acquisition of the social network, claiming Twitter lied about the number of bots on the platform

USER DATA

Zatko, who previously worked at Google and the Department of Defense, also alleged that Twitter does not reliably delete user data after an account is cancelled. 

In some cases, this is because Twitter has lost track of the information, often as it has spread too widely among the firm’s systems. 

IS ELON MUSK STILL BUYING TWITTER? 

Elon Musk is engaged in a bitter legal battle over his acquisition of the social network, claiming Twitter lied about the number of bots on the platform.

Musk’s lawyers have reportedly sought information from a range of mid-level employees and high-level executives regarding Twitter’s user data and how it was collected and analysed.

The Tesla CEO claims bots or fake accounts represent far more than the five per cent claimed by the company when he offered to buy it in April.

Twitter is suing the world’s richest man for backing out of the deal, claiming he is using the bot issue as a pretext for his buyer’s remorse.  

The company has also allegedly misled regulators regarding whether it deletes data of users who have left the platform. 

Moore told MailOnline that data of those who have left remains a valuable commodity for tech companies. 

‘When you delete an account your data often stays on the servers of the platform and this data may be stored, analysed or sold at any time,’ he said. 

‘Free platforms usually profit from their user’s data and this can harm user’s privacy and even security now and in the future.’

‘INDISCRIMINATE ACCESS’

Twitter has also given thousands of staff access to central controls and the most sensitive information without adequate oversight, Zatko said. 

And there’s also allegedly a general lack of transparency at Twitter around which employee has accessed what data and when. 

Such data includes personal details including email addresses and phone numbers. 

According to Zatko, Twitter has ‘never been in compliance’ with the FTC over a consent order that it signed in 2011.

This order was signed after a complaint that Twitter granted almost all of its employees the ability to exercise administrative control of the Twitter system.  

The failure to adhere to the order means Twitter suffers an ‘anomalously high rate of security incidents’ at around one per week which are serious enough to alert the government, the ex-security chief said.

James Bore, a security consultant at Bores Group, has pointed to a recent Twitter data breach revealed earlier this month that compromised 5.4 million users. 

Zatko, whose hacker alias is Mudge, is pictured testifying before the Senate Governmental Affairs hearing on government computer security in 1998

‘We know from the previous Twitter breach that, unless things have changed, they don’t keep a tight rein on staff’s ability to access and ultimately take control of even their most sensitive user’s account,’ he told MailOnline.

‘Even earlier this year another breach clearly showed that they haven’t taken precautions to protect their users, as allegedly 5.4 million users were compromised, with their emails and phone numbers exposed and offered for sale on a hacking forum.’  

TWITTER SPIES?  

Zatko, who reported directly to CEO Jack Dorsey and his replacement Parag Agrawal, said senior executives have been covering up the platform’s biggest vulnerabilities. 

He has even claimed one or multiple employees could be working as a spy for foreign intelligence services.

The social media platform could therefore be susceptible to foreign interference or spying and hacking – a risk to national security.  

Bore told MailOnline: ‘Given the data that appears to be available to Twitter staff and the influence of the platform, this isn’t a stretch of the imagination.

‘Intelligence agencies could be willing to put the effort in to place their own staff within the company to access data which could lead to identifying those objecting to regimes around the world.’ 

The disclosure also claims the US government provided specific evidence to Twitter shortly before Zatko left the company that at least one of its employees was working for another government’s intelligence service.

However, the whistleblower’s report does not state whether Twitter was already aware of this or if subsequent action was taken.

According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey (pictured) in November 2021

Zatko said he had attempted to raise the alleged security lapses with Twitter’s board and claims his public whistleblowing comes after those attempts failed. 

Aside from the staffing security concerns, Zatko also feared its server infrastructure made Twitter vulnerable.

He said half of its 500,000 servers use outdated software that do not support encryption for stored data or regular security updates.

Its inadequate recovery procedures from data center crashes also mean that minor outages could knock Twitter offline for good, he claims.

The tech firm said automatic checks are in place to ensure laptops running outdated software cannot access the production environment and record-keeping and review requirements are in place for any changes to the live product.  

Zatko’s disclosure could lead to billions in fines for Twitter if the claims are proven or if it is found they have violated their legal obligations.

In response to the disclosure, a Twitter spokesperson told MailOnline: ‘Mr Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance. 

‘What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. 

‘Mr Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. 

‘Security and privacy have long been company-wide priorities at Twitter and will continue to be.’

WHO IS PEITER ‘MUDGE’ ZATKO? 

Peiter ‘Mudge’ Zatko is a famed hacker who nearly 20 years ago told Congress he could take down the internet in 30 minutes.  

His colourful career began in the 1990s, when he simultaneously conducted classified work for a government contractor and was among the leaders of Cult of the Dead Cow, a hacking group notorious for releasing Windows hacking tools in order to goad Microsoft into improving security. 

Mudge testified before a Senate committee in 1998 about the serious vulnerabilities of the Internet at that time.  

He was appointed to Twitter in 2020 to recommend changes in structure and practices to bolster its security after a series of damaging compromises that saw users including Barack Obama, Joe Biden and Elon Musk hacked.

He said at the time he will examine ‘information security, site integrity, physical security, platform integrity – which starts to touch on abuse and manipulation of the platform – and engineering.’ 

But he was fired in January 2022 for what the company claimed was poor performance but what he said was retaliation.

The tech wizard said he tried to flag the security lapses to the board before he went public. 

According to his disclosure, Zatko had a tense relationship with Twitter CEO Parag Agrawal, who took over from Jack Dorsey in November.

He claimed Agrawal and his staff constantly discouraged him from giving a full account of the security problems to the board, instead instructing him to give an oral report on his findings.

The whistleblower also said he was ordered to present cherry-picked data to give a false impression of progress and then they went behind his back to scrub a consulting firm’s report and hide the extent of the problems.

Zatko claimed Dorsey was more amenable to his recommendations than Agrawal but he became less engaged in his final months at the tech giant.

Some staff even thought Dorsey was ill because he became so distanced and uninterested in the company, Zatko said. 

Zatko’s concerns at Twitter grew after the January 6 Capitol riots when he feared a sympathizer within the company could manipulate the platform on what is known as the ‘production environment’.

But he says he soon learned ‘it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did…. Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment.’

He added that Twitter could not hold individual workers accountable because it has no control or visibility into their computers, claiming four out of ten devices do not meet basic security standards. 

The company said its engineering and product teams can access the production environment if they have a business justification for doing so. 

Source: Read Full Article