Ex-Twitter Security Leader Says Platform Has 'Extreme' Security Deficiencies

The former head of Twitter security is accusing the company of “extreme, egregious deficiencies” in its spam- and hacker-fighting practices.

According to CNBC, the complaints were filed by nonprofit law firm Whistleblower Aid. It’s representing Twitter’s former head of security, Peiter “Mudge” Zatko.

It filed the complaints with the U.S. Securities and Exchange Commission (SEC), the Federal Trade Commission (FTC) and the Department of Justice. They were published by The Washington Post and CNN.

Peiter “Mudge” Zatko

In the SEC complaint, Zatko alleges that he “witnessed [a] senior executive engaging in deceitful and/or misleading communications.” That affected board members, users and shareholders on multiple occasions in 2021, he said.

He also alleges CEO Parag Agrawal asked him to provide false and misleading documents.

Twitter’s Parag Agrawal

Zatko said Twitter failed to accurately represent four key issues to the board, including out-of-date software that lacked basic security measures; “gross problems” regarding who could access or control systems and data; problematic internal processes; and a “stunning” volume and frequency of security incidents impacting a large number of users’ data.

We couldn’t reach Twitter for comment. In a letter to Twitter staff posted by CNN, Agrawal said he terminated Zatko for “ineffective leadership and poor performance.” It also called Zatko’s allocations a “false narrative.”

Cybersecurity Community Backs Zatko

Casey Ellis is Bugcrowd‘s founder and CTO. He said Zatko has a” long and rock-solid reputation of putting integrity first.”

Bugcrowd’s Casey Ellis

“He’s also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do it’s almost certainly worth paying attention to,” he said. “This dates back to the L0pht testimony in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the way the infosec community has closed ranks around him this morning, others clearly feel the same way. Infosec doesn’t suffer fools and has a keen eye for sensationalism. And I think the reaction today speaks very strongly to both his character and the claims themselves.”

Ellis said he can’t speak to the specifics of the disclosures themselves. But he’s “definitely pleased to see this prompting a discussion around the critical infrastructure characteristics of social media platforms and the implications this has on national security and privacy, especially as the midterms in the United States get underway and sets itself up for the 2024 election.”

“It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms would probably rather avoid, but it is a conversation we need to have,” he said.

Twitter Has ‘Big’ Security Problems

Aaron Turner is CTO of SaaS Protect at Vectra.

Vectra’s Aaron Turner

“I’ve known Mudge since his days at Cult of the Dead Cow,” he said. “When I was at Microsoft, he and the Stake team helped us fundamentally improve our security strategy and tactics. As I’ve worked across government projects over the last 20 years, I would say that his work at the Defense Advanced Research Projects Agency (DARPA) made a significant difference in the way that the U.S. government approached cybersecurity.”

Zatko has always had the “highest level of integrity,” Turner said. He also adheres to the highest technical standards of development and operation of systems.

“If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems,” he said.

After the 2020 Twitter hack, it was obvious that Twitter did not have appropriate privileged user management controls nor separation of duty policies for developers and administrators of their systems, Turner said.

“If Mudge’s disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitter’s entire platform is at risk of compromise,” he said.

Serious Twitter Security Issues Highlighted

Javvad Malik is security awareness advocate at KnowBe4. He said the allegations will definitely have a long-term effect on Twitter. It could also impact how other social media platforms manage the security of their platforms.

KnowBe4’s Javvad Malik

“Mudge is a long-standing and well-respected member of the security community,” he said. “And while it appears as if there could be an underlying clash of personalities with Agrawal, these should not detract from the quite serious security issues that have been highlighted.”

At the time of their inception, there was no way that social media organizations could have predicted the massive influence they would have on individuals, organizations, governments and the world at large, Malik said.

“Therefore, organizations like Twitter need to focus and invest more in cybersecurity and privacy controls to ensure the power it has cannot be misused,” he said. “And for that, the organization needs to foster and build a culture of security from within, one where weaknesses can be openly discussed, and not hidden under the rug.”