Twitter whistleblower testifies of serious security flaws to Senate

Twitter’s former security chief Peiter “Mudge” Zatko testified before a Senate panel on Tuesday that his former employer prioritized profits over addressing security concerns that he said put user information at risk. wrong hands.

“It’s not unreasonable to say that one employee within the company could take over the accounts of all the senators in this chamber,” Zatko told members of the Senate Judiciary Committee, less than a month after his whistleblower complaint was publicly reported. .

Zatko testified that Twitter lacked basic security measures and had a loose approach to accessing data between employees, opening the platform to huge risks. As he wrote in his complaint, Zatko said he believed an Indian government agent managed to become an employee at the company, an example of the consequences of lax security practices.

The testimony adds fuel to criticism from lawmakers that major tech platforms are putting revenue and growth goals over user protection. While many companies have flaws in their security systems, Twitter’s unique position as a de facto public square has amplified Zatko’s revelations, which took on added significance given Twitter’s legal tussles with Elon Musk.

Musk sought to buy the company for $44 billion, but then tried to back out of the deal, claiming Twitter should have been more forthcoming with information about how it calculates the percentage of spam accounts. A judge in the case recently said Musk could revisit his counterclaims on the reference issues raised by Zatko.

A Twitter spokesman disputed Zatko’s testimony and said the company uses access controls, background checks and monitoring and detection systems to control access to data.

“Today’s hearing only confirms that Mr. Zatko’s claims are riddled with inconsistencies and inaccuracies,” the spokesman said in a statement, adding that the company’s employment is independent of foreign influence.

Here are the highlights from Zatko’s testimony

According to Zatko, Twitter’s systems are so disorganized that the platform cannot say for sure whether it has completely deleted users’ data. That’s because Twitter hasn’t tracked where all that data is stored.

“They don’t know what data they have, where he lives or where he came from and so, surprisingly, they can’t protect him,” said Zatko.

Karim Hijazi, CEO of cyber intelligence firm Prevailion, said large organizations like Twitter often experience “infrastructure shedding,” when people come and go, and various systems are sometimes neglected.

“Over time it tends to be a bit like somebody’s garage,” said Hijazi, who previously served as director of intelligence at Mandiant, now owned by Google. “Now the problem is, unlike a garage where you can go in and start methodically taking it all apart… you can’t just wipe out the database because it’s a quilt of new information and old information .”

Removing some parts without knowing for sure if they are critical parts could risk bringing down the wider system, Hijazi said.

But security experts expressed surprise at Zatko’s testimony that Twitter didn’t even have an environment to test updates, an intermediate step that engineers can take between development and production environments to fix problems with their code before deploying it. directly.

“That was pretty surprising for a big tech firm like Twitter that didn’t have the basics,” Hijazi said. Even the tiniest little startups in the world that started seven and a half weeks ago have a development, staging and production environment.”

Chris Lehman, CEO of SafeGuard Cyber ​​​​and a former vice president of FireEye, said that “it would be shocking to me” if it is true that Twitter does not have a staging environment.

He said “more mature organizations” would have this step in place to prevent systems from crashing on the live website.

“Without a staging environment, you create more opportunities for bugs and problems,” Lehman said.

Zatko said a lack of understanding of where the data lives means employees also have far more access than they should to Twitter’s systems.

“It doesn’t matter who has the keys if you don’t have locks on the doors,” Zatko said.

Engineers, who make up a large part of the company, are given access to Twitter’s live testing environment by default, Zatko claimed. He said that type of access should be limited to a smaller group.

With so many employees having access to important information, the company is vulnerable to problematic activities such as bribery and hacking, Hijazi and Lehman said.

The one-time fines that often result from settlements with U.S. regulators like the Federal Trade Commission aren’t enough to drive stronger security practices, Zatko testified.

Zatko told Sen. Richard Blumenthal, D-Conn., that a $150 million settlement like the one Twitter reached with the FTC in May over allegations it misrepresented how it used contact information to target ads would be insufficient. to prevent the company from bad security. practices.

The company, he said, would be far more concerned about European regulators being able to impose stronger remedies.

“While I was there, the concern was only about a significantly higher amount,” Zatko said. “Or if it would have been a risk of more institutional restructuring. But that amount would have been a bit of a concern while I was there.”

Despite the flaws, users shouldn’t necessarily feel compelled to delete their accounts, Zatko and other security experts said.

“People can always choose to just opt ​​out,” Lehman said. “But the reality is that social media platforms are platforms for dialogue. And they’re the new town square. It serves a public good. I think it would be bad if people just stopped using it.”

Hijazi said that there is no point in hiding.

“That’s impossible in this day and age,” he said. “However, I think being naive to believe that these organizations really have this under control and actually have your information secured is wrong.”

Subscribe to CNBC on YouTube.

WATCH: The changing face of privacy in a pandemic