The year 2022 is getting more chaotic for Twitter Inc. The company, which is already fighting over to get Tesla CEO Elon Musk to complete his $44-billion purchase deal, was hit by fresh allegations made by its former head of security Peiter “Mudge” Zatko, who highlighted that there are serious and widespread security vulnerabilities at the company. Lashing out at his claims, Twitter CEO Parag Agrawal has now said that Zatko’s claims are baseless and are “riddled with inconsistencies and inaccuracies, and presented without important context”.
A recent article in The Washington Post and CNN reported that Zatko, in a whistleblower disclosure, claimed that while working he uncovered “extreme, egregious deficiencies” by Twitter surrounding users' privacy, security, and content moderation. Zatko was fired in January this year for “poor performance”.
The timing of the whistleblower letter is crucial as it would give Musk enough reasons to quit the deal to buy Twitter for $44 billion. Musk has already raised concerns over the issue of spam-bot accounts on the social media platform. Twitter in reply has challenged the Tesla CEO in court and the matter will be heard at the Delaware Chancery Court on October 17.
The whistleblower letter
According to the news report, Zatko had sent the disclosure to Congress and federal agencies, including the Securities and Exchange Commission (SEC), the Federal Trade Commission, and the Department of Justice, last month stating that the microblogging site has major security issues that are a serious threat to users’ personal information, companies’ secrets, shareholders, national security and the democracy.
Also read: Twitter employees might get only half of their annual performance bonus
The letter further stated that the company has allowed too many of its workers to access its central controls, which exposes sensitive information about the users, and there is no check on the access.
Zatko has further alleged that the top leadership and senior executives in the company are trying to push these discrepancies under the wraps, and also that someone or more employees could be working for the “foreign intelligence service”.
He has further alleged that the current leadership was misleading its own board and government regulators about its security lapses within the system, which could lead to “foreign spying or manipulation, hacking and disinformation campaigns”.
Zatko has also said when he highlighted the lapses he got “stiff pushback” from Agrawal, who initially was the Chief Technology Officer before he was promoted to the CEO’s post.
He has added that Twitter has violated an 11-year-old settlement with the FTC by inappropriately claiming that it has a comprehensive security program in place.
In his disclosure note, which is around 200 pages, Zatko has added that his findings were worse than what former CEO Dorsey feared at his time, as the problems have worsened under Agrawal. He added that the company had never complied with the FTC order and wasn't on track to do so.
He also added that the company has kept Musk in dark about the number of spam bots in use on its platform and has misled the FTC about fully deleting the data of users who leave the service.
He also noted that Twitter's server infrastructure is a serious problem as it is prone to serious vulnerability. The company's 500,000 servers have outdated software, which doesn’t have updated basic security features, such as encryption for stored data or regular security updates by vendors.
Agrawal’s reply
In his reply, which was published on Twitter by CNN reporter Donie O’Sullivan, Agrawal said Zatko was himself fired in January 2022 for “ineffective leadership and poor performance.”
He added Zatko’s narrative about the company is false and “is riddled with inconsistencies and inaccuracies, and presented without important context.”
He highlighted that Mudge as the head of security at Twitter was responsible for the lapses he is highlighting now, and blowing them out of proportion more than six months after his termination.”
“I know this is frustrating and confusing to read, given Mudge was accountable for many aspects of this work that he is now inaccurately portraying more than six months after his termination. But none of this takes away from the important work you have done and continue to do to safeguard the privacy and security of our customers and their data,” he wrote to his employees.
Also read: Who is Pranay Pathole and why did Elon Musk meet him?
CNN had reported that Agrawal has vowed to challenge the whistleblower disclosure, and warned his staff to expect more such stories to appear.
Cybersecurity champion?
It is to be noted here that Zatko was a longtime security expert and has worked with DARPA (US Department of Defense) and Google before joining Twitter in 2020. He was appointed by former CEO Jack Dorsey after a few teenagers hacked high-profile Twitter accounts of celebrities such as Tesla CEO Musk, Kim Kardashian, former President Barack Obama, and Joe Biden, who at that time was running for the US president post. His first major appearance was in 1998 when he participated in the first congressional hearings on cybersecurity.