Zakto further claims that Twitter does not have comprehensive development or testing environments for piloting new features and system improvements before releasing them into live production software. As a result, Zatko describes a situation where engineers would work alongside live systems and “test directly into commercial service, leading to regular service outages.” And the documents allege that half of Twitter’s employees had privileged access to live production systems and user data without monitoring to be able to catch any fraudulent activity or track unwanted activity. Zatko’s complaint describes Twitter as having approximately 11,000 employees. Twitter says it currently has about 7,000 employees.
The complaints allege that these lax security practices explain Twitter’s history of security incidents, data breaches and the takeover of risky user accounts.
“We are looking into the redacted claims that have been published,” Twitter CEO Parag Agrawal has written in a message to Twitter staff this morning. “We will pursue all avenues to protect our integrity as a company and set the record straight.”
Twitter says all employee computers are centrally managed and that its IT department can force updates or impose access restrictions if updates are not installed. The company also said that before a computer can connect to production systems, it must pass a check to ensure its software is up-to-date and that only employees with a “business justification” can access the environment of production for “specific purposes”. “
Al Sutton, co-founder and chief technology officer of Snapp Automotive, was a staff software engineer at Twitter from August 2020 to February 2021. He noted in a tweet on Tuesday that Twitter never removed him from the GitHub employee pool that can submit software changes to code the company manages on the development platform. Sutton had access to private storage for 18 months after being released from the company, and he has posted evidence that Twitter uses GitHub not only for public, open-source work, but also for internal projects. Within about three hours of posting about access, Sutton reported that it was revoked.
“I think Twitter is being pretty casual about Mudge’s claims, so I thought a verifiable example might be helpful for people,” he told WIRED. When asked if Zatko’s allegations follow his experience working at Twitter, Sutton added, “I think the best thing to say here is that I have no reason to doubt his claims.”
Security engineers and researchers point out that while there are different ways to approach the security of the production environment, there is a conceptual problem if employees have broad access to user data and deployed code without extensive logging. Some organizations take the approach of drastically limiting access, while others use a combination of broader access and continuous monitoring, but either option should be a conscious choice in which a company invests heavily. After the Chinese government cracked down on Google in 2010, for example, the company went all in on the former approach.
“It’s actually not that unusual for companies to have relatively liberal policies on giving engineers access to production systems, but when they do they’re very, very strict about recording everything that’s done,” he says. Perry Metzger, managing partner of Metzger Consulting. Dowdeswell & Company. “Mudge has an incredible reputation, but let’s just say he was completely incompetent. The easiest thing for them would be to provide technical details of the logging systems they use for engineers’ access to production systems. But what Mudge is portraying is a culture where people would rather cover things up than fix them, and that’s the worrying part.”
Zatko and Whistleblower Aid, the nonprofit legal group that represents him, say they stand by the documents released Tuesday. “Twitter has a major impact on the lives of hundreds of millions of people around the world and has fundamental obligations to its users and the government to provide a safe and secure platform,” Libby Liu, CEO of Whistleblower Aid, said in a statement.
For now, however, the allegations raise a number of serious concerns that appear unlikely to be quickly explained or fully resolved.
