‘Real Harm To Real People’ Twitter Security Flaws Exposed By “Mudge,” A Whistleblower

Former Twitter chief of security Peiter “Mudge” Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, DC on September 13, 2022, on data security at Twitter. Photos by Kevin Dietsch/Getty Images.

Peiter “Mudge” Zatko, the company’s former security chief, testified before lawmakers on Tuesday, his first public appearance since making a series of explosive accusations against Twitter in a whistleblower complaint last month. He claimed that the social media platform was endangering users and national security by putting growth ahead of fixing “egregious” security lapses.

Zatko, a famous hacker with three decades of experience in cybersecurity, told the Senate Judiciary Committee, “What I discovered when I joined Twitter was that this extremely prominent corporation was over a decade behind industry security norms.” The company’s cybersecurity flaws leave it open to exploitation, which can result in actual harm to real individuals.

Zatko initially testified before the Senate 24 years ago with flowing long hair, in stark contrast to his current solemn demeanor in a traditional gray suit and a beard. But he made a similar warning as he did before when he terrified lawmakers by saying that he and his fellow hackers could shut down the Internet in 30 minutes. It’s “not far-fetched to say” that someone working inside the corporation might “take over the accounts of all of the Senators in this room,” he claimed.

Zatko claimed that Twitter’s shortcomings posed a significant danger to international and domestic security. It’s a significant matter for everyone when a powerful media platform can be hacked by teens, thieves, and spies and the firm keeps causing security issues on its own.

Zatko, invoking federal whistleblower protections, filed 84 pages of disclosures to U.S. regulatory agencies in July, accusing the $32 billion company’s top executives of violating FTC Act and Securities and Exchange Commission regulations by misleading its users, board members, and investors about critical security failures. Zatko claimed that because of these flaws, the platform was vulnerable to attacks, infiltration by foreign governments, and exploitation by a wide variety of undesirable actors.

“I think they would like to wave a magic wand and have all of these things fixed,” he told lawmakers on Tuesday. “But they’re unwilling to bite the bullet…and say ‘hey, we’re going to have to devote some time and money to get these basic things in place.’”

Twitter, according to the head of the Senate Judiciary Committee, Senator Richard Durbin, “cannot afford glaring security holes” because of how influential the platform is. A malicious hacker or hostile foreign government compromises the President of the United States Twitter account and uses it to spread false information, such as that one of our citizens was the victim of a terrorist assault. Worst case scenario, people start freaking out.

'Real Harm To Real People' Twitter Security
‘Real Harm To Real People’ Twitter Security

The following is a brief overview of the key points Zatko addressed during his hearing on Tuesday.

“One Crisis At A Time”: Zatko Described Internal Chaos On Twitter

Zatko said that the corporation was unwilling to spend money fixing even the most basic security holes and that employees were angry over what they saw as leadership failures. When asked about plans to address the platform’s security and privacy concerns, he stated, “The engineers and the workforce desire this change.” The culture only allows them to deal with one catastrophe at a time. Another crisis arises and the previous one is forgotten.

Zatko’s allegations are at the center of a multibillion-dollar legal battle over Twitter’s deal to sell the company to Elon Musk. After Musk’s legal team subpoenaed Zatko last month, the judge determined last month that Musk could add Zatko’s charges to his complaint against the firm.

Two months before Zatko’s whistleblower lawsuit went public, the firm settled with him for more than $7 million in compensation that was improperly withheld. According to the Wall Street Journal, he also signed a nondisclosure agreement promising not to speak ill of the corporation.

Using the popcorn emoji in a tweet on Tuesday, Musk seemed to indicate that he was following the proceedings. Twitter shareholders decided to support Musk’s original bid less than an hour after the hearings concluded. Natasha Lamb, the managing partner of Arjuna Capital, which owns Twitter shares, says, “There’s been a pile-on to Twitter, between Musk’s activities and now Mudge’s charges, that have very much impacted the value of the business.” According to Bloomberg, “investors consider Musk’s purchase as maybe the only route out so that they might regain value.”

On October 17, a trial will begin on the dispute between Twitter and Musk.

Claims About Twitter’s Links With Foreign Governments

Zatko spent much time discussing one of the most concerning aspects of his disclosure: Twitter’s decision to engage an agent for the Indian government in its newly established Indian office and provide that agent with access to internal information. Twitter and the Indian government have been at odds over the censorship of tweets in India for several years. According to Zatko, the agent’s main objective while working for Twitter was to learn about “Twitter’s discussions with the court and the government.”

On Tuesday, the whistleblower stated that once he found out about the agent, he assembled a small team “only to track one individual,” but that it was “very difficult” to monitor the agent’s activity or rein them in because of Twitter’s inadequate internal capabilities.

When Zatko informed an executive about the alleged agent, the executive allegedly said, “Since we already have one, what does it matter if we have more?” Zatko continued to accuse management of ignoring the situation. Let’s keep the office expanding.

Zatko claims that some Twitter employees had concerns that the Chinese government could acquire data on the platform’s users, and he recounted internal disagreements with executives who wanted to boost Chinese advertising revenue.

“The executive in charge of sales very shortly after I joined said, ‘This is a big internal conundrum because we’re making too much money from these sales, we’re not going to stop,’” he said.

Zatko’s revelations were only a preview of what he eventually divulged. While he claimed that he had notified Twitter that “one or more” of its workers were “working on behalf of another particular foreign intelligence agency” in the redacted version of his whistleblower complaint that was made public, he provided more details on Tuesday. According to Zatko, he found out that Twitter employed a spy for China’s Ministry of State Security the week before he was let off.

Twitter’s Role In Geopolitical Crises

The “shocking” paucity of content moderators fluent in other languages was highlighted by Zatko. He implied that the failure to do so contributed to the Rohingya genocide in Myanmar, where online hate speech and propaganda helped incite violence against the Muslim minority.

You can’t ask, “Where were the Burmese speakers while something was happening in Myanmar?” after the fact. Eighty percent of Twitter’s audience lives outside the United States, and the company needs to reflect that. If all you can say is “Google Translate is doing the right thing for me,” you’re not contributing to a productive community or the public dialogue, he warned.

Lawmakers also noted that users in totalitarian regimes suffered as a result of Twitter’s emphasis on development over security and privacy protections.

Earlier this year, a federal jury convicted a Saudi national working for Twitter of obtaining the personal data of dissidents who challenged the Saudi regime and handed it over to the Saudi authorities, as stated by Durbin. For these dissidents, it is, as we all know, a matter of life and death.

How The FTC Has Been “Outgunned” By Big Tech

According to Zatko, Twitter was allowed to lag behind its rivals by a “decade” in terms of security since it was not subjected to significant regulatory pressure. The FTC, according to the whistleblower, is “totally outgunned” by Big Tech. The agency “let firms grade their own homework” and permitted them to hire their own auditors, which the whistleblower saw as a conflict of interest.

“Clearly what we’re doing right now is not working,” Sen. Richard Blumenthal said.

According to Zatko’s testimony before Congress, Twitter is more worried about other international authorities than the FTC. In particular, he mentioned how the Commission Nationale de l’Informatique et des Libertes (CNIL), France’s data privacy watchdog, “terrified” the company by asking technical and quantitative questions and having the power to levy large recurring fines, as opposed to the one-time FTC penalties that Twitter “priced in” to their business model.

Senators From Both Parties Called For Stepping Up-Regulation

In Congress on Tuesday, Zatko’s presence, however brief, sparked a nonpartisan mood. The senator from South Carolina has committed to working with Warren, with whom he has “different viewpoints on practically everything,” to draft new legislation to control Big Tech. He said, “I want to make sure we have a regulatory framework that has teeth, much as in Europe.”

If Elizabeth Warren and Lindsay Graham can agree on that idea, “I think we’re off to the races,” Graham remarked.

A large number of senators from both parties advocated for stricter regulations and proposed the establishment of a new agency. Two senators, Amy Klobuchar, and Marsha Blackburn have advocated for a uniform privacy law to shield internet users from invasive tracking and surveillance. In addition, Senator Chris Coons used his time to promote the Platform Accountability and Transparency Act, a bipartisan bill he introduced in December that would mandate independent audits of social media corporations and the publication of considerably more data pertaining to their operations.