Advertisement

Twitter couldn’t detect foreign agents on its own, whistleblower testifies

Whistleblower Peiter "Mudge" Zatko said that "if you're not placing foreign agents into Twitter … you're most likely not doing your job."
Peiter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on Tuesday. (Photo by Kevin Dietsch/Getty Images)

Twitter’s inability to track how employees accessed internal data blinded them to foreign spies, the company’s former head of security, Peiter “Mudge” Zatko, testified at a hearing in front of the Senate Judiciary Committee on Tuesday.

Zatko called the issue “a lack of fundamental tools and access controls” that put the company at least 10 years behind industry norms. Mudge recounted that at one point later in his tenure, for instance, there were “thousands of failed attempts to access internal systems per week” and nobody could explain where they were coming from or what they were trying to access.

A whistleblower complaint filed by Zatko in July included allegations of two incidents involving foreign spies. In one instance, Twitter knowingly allowed a non-engineering employee who was a state agent for India to retain access to internal dealings with the Indian government. In a second, the FBI alerted Twitter’s security team to the presence of a Chinese state agent in the ranks of its security team. The details of the incident were revealed to the public for the first time at the hearing and had not been available in the redacted whistleblower report.

In his testimony to Congress, Mudge said that an alert from an agency or external source is the only way the company would be able to find a foreign agent.

Advertisement

In some cases, foreign governments may have sought to place agents in order to better understand Twitter’s dealings with foreign government. In his whistleblower complaint, Zatko claimed that Twitter had allowed an agent of the Indian government onto staff, giving them insight into the company’s dealings with the Indian government.

Last month, a U.S. judge convicted two Twitter employees for using their employee access to spy on Saudi dissidents.

Mudge alleged that executives were aware of the problem but unwilling to respond, due in part to business imperatives in nations like China. “Their response was, ‘If we already have one what does it matter if we have more?'”

Members of the Senate Judiciary Committee raised concerns that these vulnerabilities could be used to spy on congressional lawmakers.

“It’s not an exaggeration that employees could take over the account of any Senator in this room,” Mudge said in context of his claims that Twitter engineers (about half the company) have unfettered access to the company’s systems, even when it’s not needed for their jobs. Such access could be used to not only spread misinformation but be used to gather personal information to pressure or influence an individual in the real world.

Advertisement

“If you’re not placing foreign agents inside of Twitter, where it’s very difficult to detect them and it’s very valuable to be there, as a foreign agency you’re most likely not doing your job,” Mudge said.

Twitter hired Zatko in November 2020 on the heels of a major hacking scandal in which two teens took over high-profile users’ accounts to spread a cryptocurrency scam. Twitter terminated him in January and has since pointed to “ineffective leadership and poor performance” for the reason behind his termination. (Zatko’s legal team has refuted Twitter’s characterization of his termination.)

Tuesday’s hearing follows the bombshell whistleblower complaint by Zatko alleging that the social media giant misled regulators, consumers and board members about its security performance. The complaint, filed with the Federal Trade Commission, Securities and Exchange Commission and Justice Department, was first reported by CNN and The Washington Post.

Zatko’s allegations put Twitter in violation of a 2011 order issued by the FTC in response to the company’s repeated security failures. As a part of the order, Twitter agreed to allow users to enable multi-factor authentication apps that don’t require a phone number and limit employee access to personal data.

Twitter agreed in May to pay $150 million to regulators to settle a complaint that it had already once violated the order by failing between 2014-2019 to inform more than 140 million users that phone numbers and emails they provided for account security could also be used for targeted advertising.

Advertisement

Zatko came to prominence in the 1990s as a member of the hacking collective, L0pht. Zatko and other members of the group testified in front of Congress in 1998 about internet insecurities. He went on to work for the National Security Agency and later Google.

Twitter has disputed Zatko’s whistleblower complaint both in public statements and in court where the company is suing billionaire Elon Musk for backing away from a $44 billion deal to purchase the company. Musk’s lawyers have pointed to both the details of Zatko’s complaint as well as Twitter’s large payout to their former CISO as a violation of the two parties’ agreement.

Twitter’s CEO Parag Agrawal declined to attend the hearing, drawing criticism from lawmakers. “The business of protecting American’s data is more important than Twitter’s civil litigation in Delaware,” Ranking Member Sen. Chuck Grassley, R-Iowa, said.

Grassley and Senate Judiciary Chairman Dick Durbin, D-Ill., sent a letter to Twitter’s CEO Parag Agrawal Monday that includes a series of questions about Twitter’s security practices. The letter requests a response by Sept. 26.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts