Twitter couldn’t detect foreign agents on its own, whistleblower testifies

Twitter’s inability to track how employees accessed internal data blinded them to foreign spies, the company’s former head of security, Peiter “Mudge” Zatko, testified at a hearing in front of the Senate Judiciary Committee on Tuesday.

Zatko called the issue “a lack of fundamental tools and access controls” that put the company at least 10 years behind industry norms.

A whistleblower complaint filed by Zatko in July included allegations of two incidents involving foreign spies. In one instance, Twitter knowingly allowed a non-engineering employee who was a state agent for India to retain access to internal dealings with the Indian government. In a second, the FBI alerted Twitter’s security team to the presence of a Chinese state agent in the ranks of its security team.

In his testimony to Congress, Mudge said that an alert from an agency or external source is the only way the company would be able to find a foreign agent.

In some cases, foreign governments may have sought to place agents in order to better understand Twitter’s dealings with foreign government. In his whistleblower complaint, Zatko claimed that Twitter had allowed an agent of the Indian government onto staff, giving them insight into the company’s dealings with the Indian government.

Last month, a U.S. judge convicted two Twitter employees for using their employee access to spy on Saudi dissidents.

Mudge alleged that executives were aware of the problem but unwilling to respond, due in part to business imperatives in nations like China. “Their response was, ‘If we already have one what does it matter if we have more?’”

Members of the Senate Judiciary Committee raised concerns that these vulnerabilities could be used to spy on congressional lawmakers.

“It’s not an exaggeration that employees could take over the account of any Senator in this room,” Mudge said in context of his claims that Twitter engineers (about half the company) have unfettered access to the company’s systems, even when it’s not needed for their jobs. Such access could be used to not only spread misinformation but be used to gather personal information to pressure or influence an individual in the real world.

“If you’re not placing foreign agents inside of Twitter, where it’s very difficult to detect them and it’s very valuable to be there, as a foreign agency you’re most likely not doing your job,” Mudge said.

Twitter hired Zatko in November 2020 on the heels of a major hacking scandal in which two teens took over high-profile users’ accounts to spread a cryptocurrency scam. Twitter terminated him in January and has since pointed to “ineffective leadership and poor performance” for the reason behind his termination. (Zatko’s legal team has refuted Twitter’s characterization of his termination.)

Tuesday’s hearing follows the bombshell whistleblower complaint by Zatko alleging that the social media giant misled regulators, consumers and board members about its security performance. The complaint, filed with the Federal Trade Commission, Securities and Exchange Commission and Justice Department, was first reported by CNN and The Washington Post.

Zatko’s allegations put Twitter in violation of a 2011 order issued by the FTC in response to the company’s repeated security failures. As a part of the order, Twitter agreed to allow users to enable multi-factor authentication apps that don’t require a phone number and limit employee access to personal data.

Twitter agreed in May to pay $150 million to regulators to settle a complaint that it had already once violated the order by failing between 2014-2019 to inform more than 140 million users that phone numbers and emails they provided for account security could also be used for targeted advertising.

Zatko came to prominence in the 1990s as a member of the hacking collective, L0pht. Zatko and other members of the group testified in front of Congress in 1998 about internet insecurities. He went on to work for the National Security Agency and later Google.

Twitter has disputed Zatko’s whistleblower complaint both in public statements and in court where the company is suing billionaire Elon Musk for backing away from a $44 billion deal to purchase the company. Musk’s lawyers have pointed to both the details of Zatko’s complaint as well as Twitter’s large payout to their former CISO as a violation of the two parties’ agreement.

Twitter was not in attendance at the hearing, drawing criticism from lawmakers. “The business of protecting American’s data is more important than Twitter’s civil litigation in Delaware,” Ranking Member Sen. Chuck Grassley said.

The post Twitter couldn't detect foreign agents on its own, whistleblower testifies appeared first on CyberScoop.


This site uses cookies to offer you a better browsing experience. By browsing this website, you agree to our use of cookies.