Former Twitter security chief Peiter Zatko, aka “Mudge,” testified before a Senate panel (video) Tuesday alleging widespread security deficiencies at the social media company. His testimony expanded on the 200-plus page whistleblower complaint submitted to Congress last month.
Zatko, who was Twitter’s head of security from November 2020 until being fired in January 2022, alleged “extreme, egregious deficiencies” in areas of user privacy, digital and physical security, and platform integrity/content moderation.
“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards,” he said in his testimony.
No Framework to Protect User Data
As a social media platform, Twitter is sitting on a giant trove of user information, such as the user’s phone number, the user’s current and past IP addresses used to connect to Twitter, current and past email addresses, the person’s approximate location based on IP addresses, the user’s language, and information about the person’s device or browser they are using.
Protecting that information is critical. In the wrong hands, it can be used to dox individual users and open them up to physical harm. The communications can expose information users may not want publicized.
Twitter doesn’t know “what they have, where it lives, or where it came from,” Zatko told Congressional lawmakers during his testimony. “And so, unsurprisingly, they can’t protect it.”
No Access Logs
One of the core tenets of data protection is to have access controls so that there is a way to monitor whether anyone is accessing information they should not be. Twitter did not have that kind of logging, Zatko said, claiming that Twitter had no visibility over what anyone was doing with the data.
Employees have “too much access to too much data,” Zatko said. The information is available to roughly half of Twitter’s staff, or about 4,000 employees, and engineers are given access to the data by default, he said.
The lack of controls made account takeovers trivial. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room,” Zatko said. “It doesn’t matter who has keys if you don’t have any locks on the doors.”
That scenario isn’t so far-fetched. Zatko came to Twitter shortly after a 2020 incident where a group of teenagers gained access to an internal tool and then took over the accounts of high-profile Twitter users as part of a crypto-currency scam.
“From research that I coordinated after the 2020 incident, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems,” Aaron Turner, CTO of SaaS Protect at Vectra, previously told Dark Reading.
Red Flags Were Ignored
One system that tracked logins for Twitter engineers was registering “thousands” of failed login attempts each week, Zatko said. Despite the fact that the company saw as many as 3,000 failed attempts each day, the company did not prioritize investigating to see where the attempts were coming from or what systems were being targeted.
Not investigating was a missed opportunity. Trying to figure out what the failed attempts were targeting could have helped identify potentially vulnerable systems and whether they needed additional layers of protection.
Twitter is “so far behind on their infrastructure,” and the engineers aren’t given the opportunity to modernize the platform, Zatko testified.
Twitter has pushed back on the allegations. “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a spokesperson said,