Twitter hid negligent security practices, misled federal regulators about its security and failed to correctly estimate the number of bots on its platform, according to testimony from the company’s former chief security officer, the legendary hacker turned cybersecurity expert Peiter “Mudge”. “Zatko. The explosive allegations could have huge consequences, including federal fines and the potential failure of Tesla CEO Elon Musk’s takeover bid for Twitter.
Zatko was fired by twitter in January and claims it was retaliation for his refusal to remain silent about the company’s vulnerabilities. Last month, he filed a lawsuit with the Securities and Exchange Commission (SEC) that accuses Twitter of misleading shareholders and violating an agreement with the Federal Trade Commission (FTC) to enforce certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and released in redacted form this morning.
In an interview with CNN, Zatko said he joined Twitter in 2020 at the request of then-CEO Jack Dorsey, right after the company was founded. hit by a massive hack in which accounts belonging to figures such as Barack Obama, Bill Gates and Kanye West were compromised. Zatko says he joined Twitter because he believes the platform is an “essential resource” for the world, but was disappointed by CEO Parag Agrawal’s refusal to address the many flaws in Twitter. business security.
“It would never be my first move, but I believe I still fulfill my obligation to Jack and to the users of the platform,” Zatko said. The Washington Post regarding his decision to become a whistleblower. “I want to finish the job Jack brought me in for, which was to make the place better.”
Zatko’s SEC disclosures contain many damning reports and accusations, but these are among the most significant:
- Indiscriminate access. A significant part of Twitter’s vulnerability is that too many employees have access to critical systems, Zatko claims in its complaint. It says that about half of Twitter’s approximately 7,000 full-time employees have access to users’ sensitive personal data (such as phone numbers) and internal software (to modify how the service works) and that this access is not is not closely monitored. It also alleges that thousands of laptops contain complete copies of Twitter’s source code.
- Fool the FTC. In 2010, Twitter fees paid with the FTC that it failed to protect consumers’ personal information – a significant and early example of government regulators clamping down on Big Tech. Zatko’s complaint claims that Twitter repeatedly made “false and misleading statements” to users and the FTC, violating this agreement.
- Ignore bots. Twitter has repeatedly claimed that less than 5% of its monthly daily active users are bots, fake accounts, or spam. Zatko’s complaint states that the method used by Twitter to measure this figure is misleading and that executives are incentivized (with bonuses of up to $10 million) to increase user numbers rather than remove spambots .
- Government agents. Twitter is a key tool for sharing information and organizing protests, making it a ripe target for governments seeking to suppress dissent. Zatko’s complaint says he believes the Indian government forced Twitter to hire a government agent, who then had “access to large amounts of sensitive Twitter data.”
- Delete Failed. The complaint says Twitter has in the past failed to delete user data when requested because such records are too prevalent among internal systems to be properly tracked. A current employee said The Washington Post that the company has just completed a project, known as Project Eraser, to ensure the correct deletion of user data.
In response to Zatko’s complaint, Twitter accused its former security chief of sensationalizing and selectively presenting information. A spokesperson told CNN:
“Mr. Zatko was terminated from his senior position at Twitter for poor performance and ineffective leadership more than six months ago. Although we have not had access to the specific allegations referenced, what we have seen so far Now is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context.The allegations and Mr. Zatko’s opportunistic timing seem designed to grab attention and Harm Twitter, its customers, and its shareholders Security and privacy have long been company-wide priorities at Twitter, and we still have a lot of work ahead of us.
Zatko’s allegations are explosive and will have a significant effect on the company. The FTC is currently investigating the complaint, according to sources cited by The Washington Postand would likely impose significant fines on Twitter if Zatko’s accusations turn out to be true.
The complaint will also affect the ongoing fight between Musk and Twitter. Musk is currently trying to extricate himself from a $44 billion deal to buy the company, justifying the move with an accusation that Twitter is lying about the actual number of bot and spam accounts on the platform. While it’s unclear whether Zatko’s complaint affects Musk’s legal argument, it will certainly bolster the public perception of his case, which is based on the accusation that Twitter underestimates its bots.