Twitter’s ex-security head alleges “egregious” security flaws

Twitter’s ex-security head alleges “egregious” security flaws

Twitter’s former head of security has filed a whistleblower complaint with the government, alleging the social media company has gaping holes in its security practices and misleads the U.S. government — as well as its own corporate board — about its vulnerability.

The complaint from Peiter Zatko, Twitter’s security chief until he was fired in January of this year, claims that Twitter has “extreme, egregious deficiencies” in security, privacy and content moderation. He also contends executives with the blogging platform lied to federal regulators about the strength of its security plan, as the company is required to have under a settlement with the Federal Trade Commission.

The company allegedly has no interest in or ability to calculate the number of bot and spam accounts on the platform, and it mismanages users’ personally identifiable information and suffers regular security breaches, according to the complaint.

Zatko filed the complaint earlier this year with the Federal Trade Commission, Securities and Exchange Commission and Department of Justice. CBS News has obtained a version of the 84-page document shared with Congress, which the Washington Post and CNN earlier reported.

Whistleblower Aid, a legal firm representing Zatko, said Twitter had an obligation to create a safe platform because of its “outsized influence on the lives of hundreds of millions around the world.”

“It has taken the courage of a high-level whistleblower with an impeccable reputation for ethics and integrity for law enforcement agencies, and the public, to learn the truth,” said Libby Liu, CEO of Whistleblower Aid.

Twitter did not immediately respond to a request for comment. In a statement to CNN, Twitter took issue with the complaint, saying that Zatko was fired “for poor performance and ineffective leadership.”

“While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us,” Twitter said, according to CNN.

Top tech CEOs testify on role of social media misinformation regarding Capitol riot and COVID


Lax security, no encryption

Zatko’s complaint claims Twitter had poor internal security controls, with up to half of the company’s 10,000-strong workforce having access to sensitive user data, 30% of employee computers turning off automatic security updates and no management system for employee phones. Many of Twitter’s data centers, which store and process user information, can’t support encryption of data, according to Zatko.

Under a 2011 settlement with the FTC, which followed a series of hacks of the platform, Twitter is required to maintain a “comprehensive information security program.”

However, “Twitter had never been in compliance with the 2011 FTC Consent Order, and was not on track to ever achieve full compliance,” the complaint alleges.

Along with lying to regulators, Twitter executives also routinely gave incorrect information to the company’s own board and misrepresented the efficacy of its security practices, Zatko alleges.

Two years ago, Twitter’s lackadaisical approach led to the biggest social media hack in history, he also alleged. A Tampa teenager was able to hack into high-profile Twitter accounts, including those of former President Barack Obama, Joe Biden, Jeff Bezos, Michael Bloomberg, Bill Gates and Kim Kardashian West.

According to the complaint, the hack “was pretty simple: Pretending to be Twitter IT support, the teenage hackers simply called some Twitter employees and asked them for their passwords. A few employees were duped and complied and — given systemic flaws in Twitter’s access controls — those credentials ‘were enough to achieve ‘God Mode,’ where the teenagers could imposter-tweet from any account they wanted.”

Twitter hack exposes security flaws ahead of the 2020 election


Zatko also alleges Twitter hired foreign spies, citing claims from a U.S. government source that “one or more particular company employees were working on behalf of another particular foreign intelligence agency.”

Senate Intelligence Committee Chair Dick Durbin said the allegations raises “serious concerns” and vowed to investigate. “If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” the Illinois Democrat said in a statement.

No way to measure bots?

Along with allegations of lax security, the complaint echoes criticism from Elon Musk that the platform is overrun by bots, claiming that executives have no way of knowing what portion of accounts were fake. Musk earlier this year offered to buy Twitter for $44 billion, but withdrew his bid in July (A trial on whether he is required by law to complete the deal is scheduled for October.)

“[D]eliberate ignorance was the norm amongst the executive leadership team,” Zatko’s complaint claims, with the company being unable to even provide a maximum estimate for the total number of spam and bot accounts. The team responsible for site integrity didn’t know how to measure bots, was consumed with internal drama and had no incentive from the company to find a truthful number, he alleges.

Zatko claims that one internal verification method used by Twitter, but often disabled, foiled up to 12 million bots per month. In 2021, Twitter created a bonus structure under which employees could earn as much as $10 million for a short-term increase in monetizable daily active users, or mDAU, but no bonus for reducing spam on the platform, the complaint claims.

Twitter has long told regulators that fewer than 5% of its daily active users on the platform are bots. However, that claim is a lie, the complaint claims, because the mDAU metric is already designed to leave out bots and other spam accounts.

A spokesperson for the U.S. Senate’s intelligence committee, Rachel Cohen, said the committee has received the complaint and “is in the process of setting up a meeting to discuss the allegations in further detail. We take this matter seriously.”

CBS News’ Nikole Killion and the Associated Press contributed reporting.