Page 1 of 2
Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.
www.cnn.com
Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies
By
Donie O'Sullivan,
Clare Duffy and
Brian Fung, CNN Business
Video by
John General,
Zach Wasser and
Logan Whiteside, CNN Business
Portraits by Sarah Silbiger for CNN
Updated 5:59 AM ET, Tue August 23, 2022
Twitter has major security problems that pose a threat to its own users' personal information, to company shareholders, to national security, and to democracy, according to an explosive whistleblower disclosure obtained exclusively by CNN and The Washington Post.
The disclosure, sent last month to Congress and federal agencies, paints a picture of a chaotic and reckless environment at a mismanaged company that allows too many of its staff access to the platform's central controls and most sensitive information without adequate oversight. It also alleges that some of the company's senior-most executives have been trying to cover up Twitter's serious vulnerabilities, and that one or more current employees may be working for a foreign intelligence service.
The whistleblower, who has agreed to be publicly identified, is Peiter "Mudge" Zatko, who was previously the company's head of security, reporting directly to the CEO. Zatko further alleges that Twitter's leadership has misled its own board and government regulators about its security vulnerabilities, including some that could allegedly open the door to foreign spying or manipulation, hacking and disinformation campaigns. The whistleblower also alleges Twitter does not reliably delete users' data after they cancel their accounts, in some cases because the company has lost track of the information, and that it has misled regulators about whether it deletes the data as it is required to do. The whistleblower also says Twitter executives don't have the resources to fully understand the true number of bots on the platform, and were not motivated to. Bots have recently become central to Elon Musk's attempts to back out of a $44 billion deal to buy the company (although Twitter denies Musk's claims).
Document: Twitter whistleblower reveals alleged security lapses, violations, fraud
Zatko was fired by Twitter (
TWTR) in January for what the company claims was poor performance. According to Zatko, his public whistleblowing comes after he attempted to flag the security lapses to Twitter's board and to help Twitter fix years of technical shortcomings and alleged non-compliance with an earlier
privacy agreement with the Federal Trade Commission. Zatko is being represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen.
John Tye, founder of Whistleblower Aid and Zatko's lawyer, told CNN that Zatko has not been in contact with Musk, and said Zatko began the whistleblower process before there was any indication of Musk's involvement with Twitter.
After this article was initially published, Alex Spiro, an attorney for Musk, told CNN, "We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding."
CNN sought comment from Twitter on more than 50 specific questions regarding the disclosure.
In a statement, a Twitter spokesperson told CNN that security and privacy are both longtime priorities for the company. Twitter also said the company provides clear tools for users to control privacy, ad targeting and data sharing, and added that it has created internal workflows to ensure users know that when they cancel their accounts, Twitter will deactivate the accounts and start a deletion process. Twitter declined to say whether it typically completes the process.
"Mr. Zatko was fired from his senior executive role at Twitter in January 2022 for ineffective leadership and poor performance," the Twitter spokesperson said. "What we've seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be."
Peiter "Mudge" Zatko was the head of security at Twitter.
A well-known "ethical hacker," Zatko also previously held senior roles at Google, Stripe and the US Department of Defense.
Some of Zatko's most damning claims spring from his apparently tense relationship with Parag Agrawal, the company's former chief technology officer who
was made CEO after Jack Dorsey stepped down last November. According to the disclosure, Agrawal and his lieutenants repeatedly discouraged Zatko from providing a full accounting of Twitter's security problems to the company's board of directors. The company's executive team allegedly instructed Zatko to provide an oral report of his initial findings on the company's security condition to the board rather than a detailed written account, ordered Zatko to knowingly present cherry-picked and misrepresented data to create the false perception of progress on urgent cybersecurity issues, and went behind Zatko's back to have a third-party consulting firm's report scrubbed to hide the true extent of the company's problems.
The disclosure is generally much kinder to Dorsey, who hired Zatko and whom Zatko believes wanted to see the problems within the company fixed. But it does depict him as extremely disengaged in his final months leading Twitter -- so much so that some senior staff even considered the possibility he was sick.
CNN has reached out to Dorsey for comment. A person familiar with Zatko's tenure at Twitter told CNN the company investigated several claims he brought forward around the time he was fired, and ultimately found them unpersuasive; the person added that Zatko at times lacked understanding of Twitter's FTC obligations.
Zatko believes his firing was in retaliation for his sounding the alarm about the company's security problems.
The scathing disclosure, which totals around 200 pages, including supporting exhibits -- was sent last month to a number of US government agencies and congressional committees, including the Securities and Exchange Commission, the Federal Trade Commission and the Department of Justice. The existence and details of the disclosure have not previously been reported. CNN obtained a copy of the disclosure from a senior Democratic aide on Capitol Hill. The SEC, DOJ and FTC declined to comment; the Senate Intelligence Committee, which received a copy of the report, is taking the disclosure seriously and is setting a meeting to discuss the allegations, according to Rachel Cohen, a committee spokesperson.\
The claims I've received from a Twitter whistleblower raise serious national security concerns.
SEN. CHUCK GRASSLEY, THE TOP REPUBLICAN ON THE SENATE JUDICIARY COMMITTEE
Sen. Dick Durbin, who chairs the Senate Judiciary Committee and also received the report, vowed to investigate "and take further steps as needed to get to the bottom of these alarming allegations."
Sen. Chuck Grassley, the same panel's top Republican and an avid Twitter user, also expressed deep
concerns about the allegations in a statement to CNN.
"Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure and infuse it with foreign state actors with an agenda, and you've got a recipe for disaster," Grassley said. "The claims I've received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further."
The Whistleblower
Zatko first came to national attention in 1998 when he took part in the first congressional hearings on cybersecurity.
"All my life, I've been about finding places where I can go and make a difference. I've done that through the security field. That's my main lever," he told CNN in an interview earlier this month.
Twitter whistleblower was on CNN 22 years ago. Here's what he had to say 03:22
The events leading to his decision to become a whistleblower began before he worked at Twitter, with
a devastating hack in 2020 in which the Twitter accounts of some of the world's most famous people, including then-presidential candidate Joe Biden, former President Barack Obama, Kim Kardashian and Musk, were compromised. Twitter told CNN that in response to the incident, the company began compartmentalizing access to customer support tool
After the attack, Dorsey recruited Zatko, a
well-known "ethical hacker" turned cybersecurity insider and executive who previously held senior roles at Google, Stripe and the US Department of Defense, and who told CNN that he'd been offered a senior, day-one cyber position in the Biden administration.
Zatko, center, was among a group of hackers who testified before Congress on cybersecurity in 1998.
What Zatko says he found was a company with extraordinarily poor security practices, including giving thousands of the company's employees — amounting to roughly half the company's workforce — access to some of the platform's critical controls. His disclosure describes his overall findings as "egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy."
After the
January 6 insurrection, Zatko was concerned about the possibility someone within Twitter who sympathized with the insurrectionists could try to manipulate the company's platform, according to his disclosure. He sought to clamp down on internal access that allows Twitter engineers to make changes to the platform, known as the "production environment."
But, the disclosure says, Zatko soon learned "it was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.... Nobody knew where data lived or whether it was critical, and all engineers had some form of critical access to the production environment." Twitter also lacked the ability to hold workers accountable for information security lapses because it has little control or visibility into employees' individual work computers, Zatko claims, citing internal cybersecurity reports estimating that 4 in 10 devices do not meet basic security standards.
t was impossible to protect the production environment. All engineers had access. There was no logging of who went into the environment or what they did.
FROM ZATKO'S DISCLOSURE
Twitter's flimsy server infrastructure is a separate yet equally serious vulnerability, the disclosure claims. About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors, according to the letter to regulators and a February email Zatko wrote to Patrick Pichette, a Twitter board member, that is included in the disclosure.
The company also lacks sufficient redundancies and procedures to restart or recover from data center crashes, Zatko's disclosure says, meaning that even minor outages of several data centers at the same time could knock the entire Twitter service offline, perhaps for good.
Twitter did not respond to questions about the risk of data center outages, but told CNN that people on Twitter's engineering and product teams are authorized to access the production environment if they have a specific business justification for doing so. Twitter's employees use devices overseen by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it is running outdated software, Twitter added.
The company also said it uses automated checks to ensure laptops running outdated software cannot access the production environment, and that employees may only make changes to Twitter's live product after the code meets certain record-keeping and review requirements.
I believe I'm still performing that mission," he said.