Whistleblower alleges ‘extreme’ security problems at Twitter

23 Aug 2022

Image: © keBu.Medien/Stock.adobe.com

Peiter Zatko, the former head of security at Twitter who was dismissed in January, claims the company misled its own board and regulators about security vulnerabilities.

A former senior staffer at Twitter has alleged that the social platform has major security problems that pose a threat to its users and shareholders.

Peiter Zatko has agreed to go public with accusations against his former employer, saying the company has deceived regulators, the public and its own board of directors about “extreme, egregious deficiencies” related to privacy, security and content moderation.

Also known by the moniker ‘Mudge’, Zatko was previously head of security at Twitter, reporting directly to its CEO. He was brought on in 2020 but was fired by Twitter earlier this year after the company accused him of poor performance.

Zatko has now said he tried to make Twitter’s board aware of the company’s negligence regarding security. He is being represented by Whistleblower Aid, the same group that represented Meta whistleblower Frances Haugen.

Zatko sent a disclosure last month to US Congress and US federal agencies. It was later seen by CNN and The Washington Post.

His allegations, outlined in the disclosure, are damning of Twitter’s security practices and its leadership team. He alleged that many of the company’s senior leaders are covering up security vulnerabilities and keeping the info from board members and regulators.

Zatko claimed that too many staff can access Twitter’s central controls and sensitive information without adequate background checks, and that the company does not properly delete data belonging to its users when they cancel their accounts.

He also said that at least one staff member may be working for a foreign intelligence service.

A Twitter spokesperson responded to the accusations and clarified that the company had not had access to the specific allegations referenced.

“Mr Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago,” the spokesperson told CNN.

“While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”

Zatko’s allegations come amid a legal battle between Twitter and Elon Musk. The Tesla boss is attempting to back out of a $44bn takeover deal, claiming he didn’t receive enough information about fake accounts on the platform.

In his disclosure, Zatko said that Twitter execs don’t have the resources to fully understand the number of bots on the platform and are not incentivised to remove them.

John Tye of Whistleblower Aid told CNN that Zatko had not been in contact with Musk and that the whistleblower process began before before Musk’s involvement with Twitter started earlier this year.

But now Musk’s legal team have subpoenaed Zatko, according to CNN. Experts are saying that if the former security chief’s assertions are true, it could provide a “smoking gun” for Musk’s case.

Twitter, meanwhile, has said that the “opportunistic timing” of Zatko’s allegations “appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders”.

Updated, 8.45am, 24 August 2022: This article was updated to include details of Zatko being subpoenaed by Musk. 

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Blathnaid O’Dea is Careers reporter at Silicon Republic