Senators denounce alleged Twitter security flaws as whistleblower testifies

Peiter Zatko sits at a table in front of a microphone during testimony at a Senate hearing.
Enlarge / Former Twitter security chief Peiter Zatko testifies during a Senate Judiciary Committee hearing on September 13, 2022.

Democratic and Republican leaders of the US Senate Judiciary Committee blasted Twitter for alleged security flaws in a letter last night on the eve of today. audience with the testimony of whistleblower Peiter “Mudge” Zatko.

“We are writing about recent allegations that Twitter turned a blind eye to foreign intelligence infiltration, failed to adequately protect user data, and provided misleading or inaccurate information about its security practices to government agencies,” it said. said Judiciary Committee Chairman Richard Durbin (D-Ill.) and filing member Charles Grassley (R-Iowa) wrote to Twitter CEO Parag Agrawal.

Zatko, who was Twitter’s chief security officer from November 2020 until his firing in January 2022, alleged in its complaint that it “discovered extreme and egregious deficiencies by Twitter in all areas of its mandate, including… user privacy, digital and physical security, and platform integrity/moderation of the contents”. Zatko too claims Twitter is guilty of “lying about bots to Elon Musk”, although his complaint does not seem to refute Public disclosure by Twitter that less than 5% of its monetizable daily active users (mDAUs) are spam or fake.

Durbin and Grassley’s letter addressed Twitter’s alleged security vulnerabilities, including “data security practices [that] may allow foreign governments and intelligence agencies to access sensitive data identifying Twitter users.” The issue of foreign intelligence agencies “is not a theoretical concern,” the senators wrote. While employed by Twitter, the accused accepted payments in exchange for accessing and passing Twitter users’ private information to the Saudi royal family and other Saudi officials .”

Zatko alleges a ‘ticking time bomb’ of security breaches

The Judiciary Committee invited Twitter to have someone appear at today’s hearing, but the company apparently refused. At Zatko opening statement during the hearing, said: “Upon joining Twitter, I discovered that the company had 10 years of critical security issues overdue, and it was not making meaningful progress on them. It was a time bomb of security vulnerabilities. Staying true to my ethic disclosure philosophy, I repeatedly disclosed these security vulnerabilities to the highest levels of the company. Only after my reports went unreported dead that I submitted my disclosures to government agencies and regulators.

Durbin and Grassley’s letter asked Agrawal to answer a list of questions by September 26. they asked. “How good are Twitter’s security teams at determining whether agents of foreign governments or other nefarious actors have attempted to access sensitive systems or user data?”

They further asked how Twitter “ensures[s] that employees located in foreign countries are protected from the influence of foreign governments” and that “employees do not actively work on behalf of foreign governments. speaking country,” they write.

At today’s hearing, Zatko testified that he was “told that there was at least one agent from the MSS, which is one of China’s intelligence services, on the payroll of Twitter”. Defect reported.

Senators probe employee access to data

Durbin and Grassley’s letter outlines claims that Twitter does not have sufficient control over how employees access sensitive data. Zatko’s “disclosure suggests that more than half of the company’s full-time employees have privileged access to Twitter’s production systems, allowing several thousand employees to access sensitive user data – while, at the same time, Twitter would not have sufficient capacity to reliably know who accessed specific systems and data and what they did with it,” they wrote.

The senators asked Agrawal how many engineers and other Twitter employees had “access to live production systems and/or user data” and asked several other questions about employee access and security. “To what extent do Twitter engineers use live production data and test new software directly on the company’s sales department, as opposed to separate test systems?… If new software is not tested in a separate test system, using test data, please explain why Twitter does not follow this practice, which many of its peer companies do,” they wrote.

The senators asked Agrawal to respond to claims that when the Federal Trade Commission “asked Twitter if it completely deleted the data of users who had left the service, Twitter deliberately misled the FTC by stating that those accounts were “disabled”, even when the data was not fully deleted.”

They also asked Agrawal to confirm or refute claims that “more than 50% of Twitter’s 500,000 data center servers [use] non-compliant kernels or operating systems”, that many of these servers are “unable to support encryption at rest”, that more than 30% of employee devices have software and security updates disabled, and that Twitter has “no mobile device management” for employee phones.

We’ve reached out to Twitter about the letter and will update this article if we get a response.

Leave a Comment