Skip to main content

Twitter’s former security chief says company lied about bots and safety

Twitter’s former security chief says company lied about bots and safety

/

Whistleblower and legendary hacker Peiter ‘Mudge’ Zatko says he wants to finish the job he was hired for

Share this story

A tough day for Twitter.
A tough day for Twitter.
Alex Castro / The Verge

Twitter has hidden negligent security practices, misled federal regulators about its safety, and failed to properly estimate the number of bots on its platform, according to testimony from the company’s former head of security, the legendary hacker-turned-cybersecurity-expert Peiter “Mudge” Zatko. The explosive allegations could have huge consequences, including federal fines and the potential unraveling of Tesla CEO Elon Musk’s bid to buy Twitter.

Zatko was fired by Twitter in January and claims that this was retaliation for his refusal to stay quiet about the company’s vulnerabilities. Last month, he filed a complaint with the Securities and Exchange Commission (SEC) that accuses Twitter of deceiving shareholders and violating an agreement it made with the Federal Trade Commission (FTC) to uphold certain security standards. His complaints, totaling more than 200 pages, were obtained by CNN and The Washington Post and published in redacted form this morning.

In an interview with CNN, Zatko said he joined Twitter in 2020 at the bequest of then-CEO Jack Dorsey, right after the company was hit by a massive hack in which accounts belonging to figures like Barack Obama, Bill Gates, and Kanye West were compromised. Zatko says he joined Twitter because he believes the platform is a “critical resource” for the world but became disillusioned by the refusal of CEO Parag Agrawal to tackle the company’s many security failings.

“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,” Zatko told The Washington Post regarding his decision to become a whistleblower. “I want to finish the job Jack brought me in for, which is to improve the place.”

Zatko’s disclosures to the SEC contain many damning reports and accusations, but these are some of the most significant:

  • Indiscriminate access. A significant part of Twitter’s vulnerability is that too many employees have access to critical systems, claims Zatko in his complaint. It states that around half of Twitter’s 7,000 or so full-time employees have access to users’ sensitive personal data (like phone numbers) and internal software (to alter how the service works) and that this access is not closely monitored. He also alleges that thousands of laptops contain complete copies of Twitter’s source code.
  • Misleading the FTC. In 2010, Twitter settled charges with the FTC that it failed to protect consumers’ personal information — a significant and early example of government regulators reining in Big Tech. Zatko’s complaint claims Twitter has repeatedly made “false and misleading statements” to users and the FTC, violating this agreement.
  • Ignoring bots. Twitter has repeatedly claimed that less than 5 percent of its monthly daily active users are bots, fake accounts, or spam. Zatko’s complaint says Twitter’s method of measuring this figure is misleading and that executives are incentivized (with bonuses of up to $10 million) to boost user counts rather than remove spam bots.
  • Government agents. Twitter is a key tool for sharing news and organizing protests, making it a ripe target for governments looking to crack down on dissent. Zatko’s complaint states that he believes the Indian government forced Twitter to hire a government agent, who then had “access to vast amounts of Twitter sensitive data.”
  • Failure to delete. The complaint states that Twitter has, in the past, failed to delete users’ data when requested because such records are spread too widely among internal systems to be properly tracked. A current employee told The Washington Post that the company just completed a project, known as Project Eraser, to ensure proper deletion of user data.

In response to Zatko’s complaint, Twitter has accused its former chief of security of sensationalizing and selectively presenting information. A spokesperson told CNN:

“Mr. Zatko was fired from his senior executive role at Twitter for poor performance and ineffective leadership over six months ago. While we haven’t had access to the specific allegations being referenced, what we’ve seen so far is a narrative about our privacy and data security practices that is riddled with inconsistencies and inaccuracies, and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and we still have a lot of work ahead of us.”

Zatko’s allegations are explosive and will have a significant effect on the company. The FTC is currently reviewing the complaint, according to sources cited by The Washington Post, and would likely levy significant fines against Twitter if Zatko’s accusations are proven to be correct.

The complaint will also affect the ongoing struggle between Musk and Twitter. Musk is currently trying to extricate himself from a $44 billion agreement to buy the company, justifying the decision with an accusation that Twitter is lying about the true number of bot and spam accounts on the platform. “We have already issued a subpoena for Mr. Zatko,” Alex Spiro, a lawyer representing Musk, said in a statement, “and we found his exit and that of other key employees curious in light of what we have been finding.”

Although it’s not clear if Zatko’s complaint affects Musk’s legal argument, it will certainly strengthen the public perception of his case, which is based on the accusation that Twitter is undercounting its bots.

Update August 23rd, 9:35AM ET: Added comment from Elon Musk’s lawyer.

Today’s Storystream

Feed refreshed 7 minutes ago Midjourneys

R
The Verge
Richard Lawler7 minutes ago
Green light.

NASA’s spacecraft crashed, and everyone is very happy about it.

Otherwise, Mitchell Clark is kicking off the day with a deeper look at Dish Network’s definitely-real 5G wireless service , and Walmart’s metaverse vision in Roblox is not looking good at all.


J
External Link
Jess WeatherbedAn hour ago
Won’t anyone think of the billionaires?

Forbes reports that rising inflation and falling stock prices have collectively cost members of the Forbes 400 US rich list $500 billion in 2022 with tech tycoons suffering the biggest losses.

Jeff Bezos (worth $151 billion) lost $50 billion, Google’s Larry Page and Sergey Brin (worth a collective $182b) lost almost $60b, Mark Zuckerberg (worth $57.7b) lost $76.8b, and Twitter co-founder Jack Dorsey (worth $4.5b) lost $10.4b. Former Microsoft CEO Steve Ballmer (worth $83b) lost $13.5b while his ex-boss Bill Gates (worth $106b) lost $28b, albeit $20b of that via charity donations.


R
Twitter
Richard Lawler12:00 AM UTC
A direct strike at 14,000 mph.

The Double Asteroid Redirection Test (DART) scored a hit on the asteroid Dimorphos, but as Mary Beth Griggs explains, the real science work is just beginning.

Now planetary scientists will wait to see how the impact changed the asteroid’s orbit, and to download pictures from DART’s LICIACube satellite which had a front-row seat to the crash.


M
The Verge
We’re about an hour away from a space crash.

At 7:14PM ET, a NASA spacecraft is going to smash into an asteroid! Coverage of the collision — called the Double Asteroid Redirection Test — is now live.


E
Twitter
Emma RothSep 26
There’s a surprise in the sky tonight.

Jupiter will be about 367 million miles away from Earth this evening. While that may seem like a long way, it’s the closest it’s been to our home planet since 1963.

During this time, Jupiter will be visible to the naked eye (but binoculars can help). You can check where and when you can get a glimpse of the gas giant from this website.


E
Twitter
Emma RothSep 26
Missing classic Mario?

One fan, who goes by the name Metroid Mike 64 on Twitter, just built a full-on 2D Mario game inside Super Mario Maker 2 complete with 40 levels and eight worlds.

Looking at the gameplay shared on Twitter is enough to make me want to break out my SNES, or at least buy Super Mario Maker 2 so I can play this epic retro revamp.


R
External Link
Russell BrandomSep 26
The US might still force TikTok into a data security deal with Oracle.

The New York Times says the White House is still working on TikTok’s Trump-era data security deal, which has been in a weird limbo for nearly two years now. The terms are basically the same: Oracle plays babysitter but the app doesn’t get banned. Maybe it will happen now, though?


R
External Link
Russell BrandomSep 26
Edward Snowden has been granted Russian citizenship.

The NSA whistleblower has been living in Russia for the 9 years — first as a refugee, then on a series of temporary residency permits. He applied for Russian citizenship in November 2020, but has said he won’t renounce his status as a U.S. citizen.


E
External Link
Emma RothSep 26
Netflix’s gaming bet gets even bigger.

Even though fewer than one percent of Netflix subscribers have tried its mobile games, Netflix just opened up another studio in Finland after acquiring the Helsinki-based Next Games earlier this year.

The former vice president of Zynga Games, Marko Lastikka, will serve as the studio director. His track record includes working on SimCity BuildIt for EA and FarmVille 3.


A
External Link
Vietnam’s EV aspirant is giving big Potemkin village vibes

Idle equipment, absent workers, deserted villages, an empty swimming pool. VinFast is Vietnam’s answer to Tesla, with the goal of making 1 million EVs in the next 5-6 years to sell to customers US, Canada and Europe. With these lofty goals, the company invited a bunch of social media influencers, as well as some auto journalists, on a “a four-day, multicity extravaganza” that seemed more weird than convincing, according to Bloomberg.