Twitter’s former security chief, Peiter “Mudge” Zatko, filed a whistleblower complaint with the Securities and Exchange Commission in July 2022, accusing the microblogging platform company of serious security failings. The accusations amplified the ongoing drama of Twitter’s potential sale to Elon Musk.
Zatko spent decades as an ethical hacker, private researcher, government adviser and executive at some of the most prominent internet companies and government offices. He is practically a legend in the cybersecurity industry. Because of his reputation, when he speaks, people and governments normally listen – which underscores the seriousness of his complaint against Twitter.
As a former cybersecurity industry practitioner and current cybersecurity researcher, I believe that Zatko’s most damning accusations center around Twitter’s alleged failure to have a solid cybersecurity plan to protect user data, deploy internal controls to guard against insider threats and ensure the company’s systems were current and properly updated.
Zatko also alleged that Twitter executives were less than forthcoming about cybersecurity incidents on the platform when briefing both regulators and the company’s board of directors. He claimed that Twitter prioritized user growth over reducing spam and other unwanted content that poisoned the platform and detracted from the user experience. His complaint also expressed concerns about the company’s business practices.
Alleged security failures
Zatko’s allegations paint a disturbing picture of not only the state of Twitter’s cybersecurity as a social media platform, but also the security consciousness of Twitter as a company. Both points are relevant given Twitter’s position in global communications and the ongoing struggle against online extremism and disinformation.
Perhaps the most significant of Zatko’s allegations is his claim that nearly half of Twitter’s employees have direct access to user data and Twitter’s source code. Time-tested cybersecurity practices don’t allow so many people with this level of “root” or “privileged” permission to access sensitive systems and data. If true, this means that Twitter could be ripe for exploitation either from within or by outside adversaries assisted by people on the inside who may not have been properly vetted.
Zatko also alleges that Twitter’s data centers may not be as secure, resilient or reliable as the company claims. He estimated that nearly half of Twitter’s 500,000 servers around the world lack basic security controls such as running up-to-date and vendor-supported software or encrypting the user data stored on them. He also noted that the company’s lack of a robust business continuity plan means that should several of its data centers fail due to a cyber incident or other…