Whistleblower accuses Twitter of “extreme and shocking” security failures

Peiter Zatko, alias “Mudge”, served for fifteen months as head of cybersecurity at Twitter. OLIVIER DOULIERY / AFP The allegations are serious, detailed and risk bearing, as the person making them is a respected figure in the American cybersecurity community. After having been responsible for the IT security of the social network Twitter for a time, Peiter Zatko now accuses the company of “extreme and shocking” failures in this area. “Mudge”, his nickname since he spawned in this industry, sent a complaint in July to the American stock market policeman (Securities and Exchange Commission, or SEC) as well as to the American trade regulator (Federal Trade Commission, or FTC) and placed himself under the protection of the American law on whistleblowers. It was the Washington Post and CNN who revealed the information, Tuesday, August 23, having had access to the complaint of the former executive. “Twitter is grossly negligent in several areas of computer security. If these issues are not addressed, regulators, media and platform users will be shocked when they inevitably learn of Twitter’s serious shortcomings in this regard,” Peiter Zatko wrote in an internal memo dated February, which the company commissioned him shortly after his dismissal and which is attached to the complaint. Not enough resources against spam “Mudge” accuses the company of not having allocated enough resources to fight against misinformation and neglecting the fight against spam in favor of a growth in the number of users, to which the leaders were financially interested. According to him, the recent and recurring assertions of the company on the sophistication of its mechanisms to fight against fake accounts and against spam are false. “In reality, writes the whistleblower in his complaint, simple computer programs, outdated, without supervision, associated with overloaded, inefficient and too few human teams. On this point, Mr. Zatko’s accusations echo one of the criticisms leveled at the company by billionaire Elon Musk, who, after announcing his desire to buy the social network for 44 billion dollars, tries to backtrack and accuses the latter of not being transparent about its efforts to fight spam. This question, crucial for the future of the company, will be decided before a court in the American state of Delaware, from October. Read also: Article reserved for our subscribers In conflict with Elon Musk, Twitter remains economically fragile According to the complaint, Twitter would have violated the agreement signed in 2011 with the US federal competition authority supposed to force it to strengthen its efforts in terms of security. The whistleblower thus denounces non-updated computer servers, and therefore more vulnerable to attacks, as well as the concealment of the real number of security incidents. If breaches of this agreement are confirmed, Twitter is liable to heavy fines. Indian government agent at Twitter One of “Mudge’s” most explosive allegations concerns India. According to the former security boss, Twitter would have hired an agent of the Indian government, thus giving him access to certain sensitive data. This accusation comes a few days after a former employee of the social network was convicted of spying on behalf of Saudi Arabia. The number of employees with broad and poorly controlled access to users’ personal data and company source code was far too large, says ‘Mudge’, and explains the many hacking cases who have marked the history of the platform. Read also Bill Gates, Elon Musk, Joe Biden, Apple, Uber… A hack targeted the Twitter accounts of personalities and companies The complaint submitted to the American authorities also depicts a boss, Jack Dorsey at the time, totally disinterested in questions related to security, the few exchanges he made with his security chief being too few to solve the company’s problems. Mr. Zatko also denounces shortcomings in the organization of the platform’s computer systems, exposing it to major breakdowns, even to permanent loss of data, all of which could threaten its very existence. “Security and privacy have long been corporate priorities,” a Twitter spokeswoman told The Washington Post, denouncing allegations “full of inconsistencies.” “Mr. Zatko was fired more than six months ago from Twitter for his poor performance and lack of leadership, and now appears to be trying to cause harm to Twitter, its customers and its shareholders,” continued this spokeswoman, defending the policy of the company in the fight against spam and the strict mechanisms of control of the access to the personal data of its users. A figurehead of cybersecurity “Mudge” has been a figurehead of the industry since testifying before the Senate in 1998, long and shaggy hair, alongside his comrades from the legendary hacker group L0pht Heavy Industries. There was already, at the time, denounced the cruel lack of protection mechanisms on the Internet. He then worked for the US Department of Defense’s innovation agency, did research for Google, and ran security for Stripe, an electronic payments platform. Read his portrait: “Mudge”, famous hacker and new Twitter security manager “Mudge” arrived at Twitter in 2020 crowned with this reputation – Jack Dorsey, the boss at the time, did not hide his admiration for the character – and had to overcome the company’s significant security and misinformation challenges. The social network had just been confronted with a new resounding and embarrassing hack: hackers had hijacked the accounts, however certified and therefore supposedly better protected, of Barack Obama, Joe Biden or Elon Musk. In 2017, an employee voluntarily disabled US President Donald Trump’s account, and a year later the company asked several hundred million of its users to change their passwords, fearing they had been disclosed in error. All against a background of recurring accusations addressed to the social network concerning its shortcomings vis-à-vis disinformation. The arrival of “Mudge” in this crucial position in a company with significant weight in the media and political landscape was seen with relief by many observers and interpreted as a step in the right direction to resolve this litany of problems. “I will do my best,” Mudge promised in a tweet posted shortly after the announcement of his nomination, with, already, a touch of fatalism. Martin Untersinger