Twitter’s security vulnerabilities get exposed by ex-employee

A former employee recently exposed a series of Twitter’s security vulnerabilities that could compromise the company legally and finantially.

Fabio Ferreira
by Fabio Ferreira
Cover Image for Twitter’s security vulnerabilities get exposed by ex-employee

A former employee recently exposed a series of Twitter’s security vulnerabilities. As a hacker, Peiter “Mudge” Zatko, a pioneer in security, has shown people the risks they face for 30 years. He does it now as a “whistleblower.”

According to the former head of security and famed hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko, Twitter has concealed poor security procedures, deceived federal authorities about its safety, and underestimated the number of bots on its site. The claims are explosive and might have far-reaching effects, such as monetary penalties from the federal government and the collapse of Tesla CEO Elon Musk’s attempt to acquire Twitter.

The Washington Post got the document from a senior Democratic aide on Capitol Hill. It could affect Twitter’s legal and financial future.

But Zatko, fired in January less than two years after Twitter hired him, says he is just trying to keep his promise to make Twitter and its users, including dissidents in authoritarian regimes, safer by any legal means.

That’s why Dorsey hired him in the first place: because he was known as an expert who followed his moral compass and told the truth to push for change, even if it meant putting himself in danger. “Make a dent in the universe” has been his motto for a long time.

After a teen hacker took over the verified Twitter accounts of political leaders in 2020, Zatko told The Post that he jumped at the chance to join the platform “to improve the health of the public conversation.” “I had no choice but to step up to the plate and take a few swings.”

Zatko claims that when Dorsey resigned in November 2021, new CEO Parag Agrawal sacked him because he notified the board that security for important customer data was poorer than they had been led to believe.

Twitter responded by saying Zatko’s assertions were untrue, overstated, or no longer relevant.

“Mr. Zatko was ousted from Twitter more than six months ago for poor performance and leadership, and he now appears to be opportunistically attempting to inflict harm on Twitter, its consumers, and its shareholders,” said Rebecca Hahn, Twitter’s global VP of communications. Agrawal evaded further discussion by being silent.

The 51-year-old Zatko has a history of revealing confidential information, mainly when such information serves to conceal illegal or irresponsible business practices.

By the time he was 30, he had co-founded one of the first hacking consultancies backed by venture capital, brought insights from the cyber underground to large corporations with the most to lose, and testified to Congress under his hacker handle about the vulnerability of the internet to drastic hacks.

Despite Zatko’s refusal to identify Twitter in particular, the records provided by his attorney at Whistleblower Aid to regulators and interviews with current and former workers and acquaintances indicate why it is highly improbable that he would quit the San Francisco digital platform quietly.
Zatko, who lives in the New York City region, stated, “I joined Twitter because it’s an important resource to the globe.” According to one author, “all news seems to be from Twitter or goes to Twitter for the coloring and context, and as such, it not only paints public opinion, but it may alter governments.”

Twitter's security vulnerabilities exposed

What are Twitter’s security vulnerabilities?

Zatko’s filings with the SEC are full with incriminating information, but the following are some of the most serious allegations on Twitter’s security vulnerabilities:

Free for all users. According to Zatko’s lawsuit, Twitter is especially vulnerable since too many people inside the company have access to sensitive data. According to the report, half of Twitter’s 7,000 or more full-time workers have unrestricted access to user’s private information (such as phone numbers) and internal software (to change how the site functions). Additionally, he claims that another of Twitter’s security vulnerabilities is that its source code is available in its entirety on thousands of computers.

Deceiving the Federal Trade Commission. The Federal Trade Commission resolved charges against Twitter in 2010 for failing to secure users’ personal information, marking an early and significant instance of government authorities reigning in Big Tech. According to Zatko’s complaint filed with the FTC, Twitter has regularly made “false and misleading assertions” to its users and the agency.

Avoiding bots. Twitter maintains that its monthly daily active userbase is less than 5% spam, false accounts, or bots. According to Zatko’s lawsuit, Twitter executives are encouraged (with incentives of up to $10 million) to increase user numbers rather than delete spam bots. Twitter’s method of assessing this statistic is deceptive.

Officers of the law. Twitter is a powerful medium for disseminating information and coordinating demonstrations, making it a prime target for oppressive governments. According to Zatko’s allegations, “huge volumes of Twitter sensitive data” were made available to a government agent hired by Twitter at the behest of the Indian government.

Clearing data. According to the lawsuit, Twitter’s overall internal system design makes it impossible to guarantee that all user account traces would be deleted when asked. An insider has informed The Washington Post that the corporation has just finished a project called Project Eraser to guarantee customer information’s total and accurate removal.

The other side

In response to Zatko’s complaint, Twitter has said that its former head of security made up stories and only showed some of the facts and that Twitter’s security vulnerabilities were always one of the top concerns for the company. A spokesman told CNN:

“Mr. Zatko was fired from his job as a senior executive at Twitter over six months ago for not doing his job well and not being a good leader. We haven’t seen the specific allegations that are being made, but what we have seen so far is a story about how we handle privacy and data security that is full of inaccuracies and is missing important context. Mr. Zatko’s accusations and the way he chose to make them seem like they are meant to get attention and hurt Twitter, its customers, and its shareholders. Security and privacy have been important to Twitter as a whole for a long time, and we still have a lot of work to do.

Who is Peiter Zaitko?

Zatko, the son of a chemistry professor and a mining scientist, spent his childhood in Alabama and Pennsylvania, where he learned to play the violin, the guitar, and the drums, and where he also learned to crack the digital copyright locks on video games and join the early online world of dial-up text discussion boards.

Peiter "Mudge" Zatko

He found that picking locks, both virtual and physical, was enjoyable, so even after enrolling at Berklee in 1988, he continued his online explorations, occasionally bartering the use of Berklee studio space for the MIT computer laboratories, where aspiring hackers were welcome.

Peiter Zatko decided to stay in Boston and transformed a temporary tech-support assignment at BBN Technologies, an elite government contractor responsible for the early internet’s core plumbing, into a full-time security position. Those large labs were where genuine hacking was done back in the day, with hackers experimenting on mainframes and networks of smaller computers.

The outside hacking culture was rougher and more enjoyable; it was a parallel universe where people used aliases, traded tips on how to break into private firms’ networks and computers, and hung around in the break rooms.

Zatko later joined DARPA, the Defense Advanced Research Projects Agency, a center for new ideas at the Pentagon. There, he made a “fast track” program to give out small grants so that hackers working alone could help the government.

Are you looking to hire the best software developers in the world? Click here to know more!

Fabio Ferreira
Fabio Ferreira
Tech lead and Talent Specialist Acquisition. Helping Saas companies and scrappy startups. Nothing makes me happier than meeting new people, building new relationships, solving issues, and helping the success of enterprises.
Cover Image for What Software Architecture Should Look Like

What Software Architecture Should Look Like

Learn what software architecture is, how to evaluate and improve it. Avoid common pitfalls and start designing smarter.

Fabio Ferreira
by Fabio Ferreira
Cover Image for What is it like to be a Junior Developer?

What is it like to be a Junior Developer?

Discover the ups and downs of being a Junior Developer and learn tips for cooping with yout boss, balance expectations and survive Day 1

Fabio Ferreira
by Fabio Ferreira
Cover Image for The problem with End-to-end Testing

The problem with End-to-end Testing

It sounds like a good idea to implement end-to-end testing on your software. But is it really? Is that the only approach? Let’s find out.

Fabio Ferreira
by Fabio Ferreira
Cover Image for Neural networks for dummies

Neural networks for dummies

Are you new to neural networks and unsure/confused about how it works? Then let’s dive into it and put on our scientist hat for a moment.

M. Muneeb Hashmi
by M. Muneeb Hashmi