"No locks on the doors": Twitter whistleblower tells Senate of security gaps

Twitter whistleblower details alleged security flaws to Congress

Twitter's former security chief painted the social media company as a data-grabbing behemoth that risks exploitation by "teenagers, thieves and spies" in testimony before the Senate Judiciary Committee on Tuesday.

"Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Peiter Zatko said in his testimony.

"They don't know what data they have, where it lives and where it came from, and so, unsurprisingly, they can't protect it," Zatko said. "It doesn't matter who has keys if there are no locks on the doors."

"A decade behind"

Zatko, who was Twitter's security head from November 2020 to January 2022, when he was fired, first laid out his allegations in a whistleblower complaint last month.

On Tuesday, he said the company was "almost a decade behind cybersecurity standards." Twitter users give up far more of their personal information than they — or sometimes even Twitter itself — realize, Zatko testified.

Engineers, who make up half of Twitter's employees, can access personal data of any user, Zatko said, adding the company did not keep logs of activities that enable it to track who logged into its internal systems. Executives do not fully understand Twitter's security issues and don't have the incentives to fix them, Zatko said.

When it comes to federal regulation, the Federal Trade Commission "is in a little over their head," Zatko said: "They're left letting companies grade their own homework."

Many of Zatko's claims are uncorroborated and appear to have little documentary support. Twitter has denied his allegations.

"Today's hearing only confirms that Mr. Zatko's allegations are riddled with inconsistencies and inaccuracies," a company spokesperson said in a statement.

Former Twitter security chief alleges reckless policies

Spies on the inside?

Among Zatko's most attention-grabbing assertions Tuesday was that Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had access to highly sensitive data on users. Twitter's inability to monitor how employees accessed user accounts made it hard for the company to detect abuses, Zatko said.

Zatko said that Twitter had at least one foreign agent from China on its payroll, and expressed "high confidence" that the Indian government had placed an agent at Twitter to "understand the negotiations" between the country's ruling party and Twitter regarding new social media restrictions.

Zatko also said that Twitter's advertising sales to Chinese companies, despite the service being banned in the country, raised concerns among some employees. 

"Employees were disturbed that, in a country where the service was not allowed to be used, money was provided to organizations associated with the Chinese government," he said, adding that Amazon executives overruled those concerns.

Zatko described similar concerns about Russia. He said he was "surprised and shocked" by an exchange with Twitter CEO Parag Agrawal in which the executive, who was chief technology officer at the time, asked if it would be possible to "punt" content moderation and surveillance to the Russian government, since Twitter lacks "the ability and tools to do things correctly."

Elon Musk files new notice to cancel Twitter purchase, citing whistleblower

Shareholders back $44 billion deal

Zatko's revelations offer additional ammunition to Tesla CEO Elon Musk, who is set to face Twitter in court after trying to back out of a $44 billion deal to buy the company. Musk has subpoenaed Zatko to testify at the trial, which is set to begin on October 17.

Separately on Tuesday, Twitter shareholders voted overwhelmingly to approve Musk's acquisition, according to multiple media reports. Shareholders have been voting on the issue for weeks, although the vote was largely a formality, given the court case.

One issue that didn't come up in the hearing was the question of whether Twitter is accurately counting its active users. One of Musk's key contentions is that Twitter is lying about how many bots it has on the platform — an assertion that Zatko seemed to back up in his whistleblower complaint.

Sen. Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said the flaws Zatko described "may pose a direct threat to Twitter's hundreds of millions of users as well as to American democracy."

"Twitter is an immensely powerful platform and can't afford gaping vulnerabilities," Durbin said.

Zatko, 51, first gained prominence in the 1990s as a pioneer in the ethical hacking movement and later worked in senior positions at an elite Defense Department research unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.

The Associated Press contributed to this report.

f

We and our partners use cookies to understand how you use our site, improve your experience and serve you personalized content and advertising. Read about how we use cookies in our cookie policy and how you can control them by clicking Manage Settings. By continuing to use this site, you accept these cookies.