Senators criticize alleged Twitter security flaws as whistleblower testifies

Peiter Zatko sits at a table in front of a microphone as he testifies at a Senate hearing.
Enlarge / Former Twitter security executive Peiter Zatko testifying at a Senate Judiciary Committee hearing on September 13, 2022.

Democratic and Republican leaders of the US Senate Judiciary Committee criticized Twitter for alleged security lapses in a letter last night on the eve of today. audience with the testimony of whistleblower Peiter “Mudge” Zatko.

“We write about recent allegations that Twitter has turned a blind eye to foreign intelligence infiltration, fails to adequately protect user data, and has provided misleading or inaccurate information about its security practices to government agencies,” the president said. of the Judiciary Committee, Richard Durbin (D-Ill). .) and Ranking Member Charles Grassley (R-Iowa) wrote Twitter CEO Parag Agrawal.

Zatko, who was Twitter’s head of security from November 2020 until he was fired in January 2022, alleged in its complaint that it “uncovered extreme and flagrant shortcomings by Twitter in all areas of its mandate, including…user privacy, physical and digital security, and platform integrity/content moderation.” Zatko too reclaimed Twitter is guilty of “lying about bots to Elon Musk”, although his complaint doesn’t seem to refute Twitter’s public disclosure that less than 5 percent of its monetizable daily active users (mDAUs) are spam or fake.

Durbin and Grassley’s letter focused on Twitter’s alleged security flaws, including “data security practices [that] may allow foreign governments and intelligence agencies to access sensitive data that identifies Twitter users.” The foreign intelligence agency issue “is not a theoretical concern,” the senators wrote. “Last month, a A federal jury convicted a former Twitter employee of acting as a foreign agent for the Kingdom of Saudi Arabia. While employed by Twitter, the defendant accepted payments in exchange for accessing and transmitting the private information of Twitter users to the Saudi royal family and other Saudi officials.”

Zatko alleges “ticking time bomb” of security flaws

The Judiciary Committee invited Twitter to have someone appear at today’s hearing, but the company apparently refused. by Zatko opening statement at the hearing he said: “Upon joining Twitter, I discovered that the company was 10 years of critical security issues behind schedule and was not making significant progress on them. This was a ticking time bomb of security vulnerabilities. Stay true to my ethical disclosure philosophy, I repeatedly disclosed those security flaws to the highest levels of the company. It was only after my reports went unheard that I submitted my disclosures to government agencies and regulators.”

Durbin and Grassley’s letter asked Agrawal to answer a list of questions by September 26. “How, if at all, does Twitter protect its live production systems and/or user data from potential access by foreign government agents?” they asked. “To what extent are Twitter’s security teams able to determine whether foreign government agents or other nefarious actors have attempted to access sensitive systems or user data?”

They also asked how Twitter “ensures[s] that employees located in foreign countries are protected from the influence of foreign governments” and that “employees are not actively working on behalf of foreign-speaking countries,” they wrote.

At today’s hearing, Zatko testified that he was “told there was at least one agent from the MSS, which is one of China’s intelligence services, on the payroll inside Twitter.” reported vice.

Senators investigate employee access to data

Durbin and Grassley’s letter outlined claims that Twitter does not have enough control over how employees access sensitive data. Zatko’s “disclosure” suggests that more than half of the company’s full-time employees have privileged access to Twitter’s production systems, allowing several thousand employees to access sensitive user data, while At the same time, Twitter is reported to lack sufficient ability to reliably know who has accessed specific systems and data and what they did with it,” they wrote.

The senators asked Agrawal how many engineers and other Twitter employees have “access to live production systems and/or user data” and asked several other questions about employee access and security. “To what extent do Twitter engineers use live production data and test new software directly on the company’s business service, as opposed to segregated test systems? … If new software is not tested on a system segregated testing, using test data, please explain why Twitter does not follow this practice, which many of its peers do,” they wrote.

The senators asked Agrawal to respond to claims that when the Federal Trade Commission “asked Twitter whether it completely deleted the data of users who left the service, Twitter deliberately misled the FTC by claiming that those accounts were ‘deactivated’, even when the data was not completely erased”.

They also asked Agrawal to confirm or refute allegations that “more than 50 percent of Twitter’s 500,000 data center servers [use] non-compliant kernels or operating systems,” that many of these servers “cannot support encryption at rest,” that more than 30 percent of employee devices have software and security updates disabled, and that Twitter “has no mobile device management” for employee phones.

We’ve reached out to Twitter about the letter and will update this article if we hear back.

Leave a Comment