Peiter Zatko, known as Mudge in the computer hacking community, poses for a portrait, on August 22, 2022. Photo by Sarah Silbiger for CNN
He was a famous hacker. Now, he's detailing his main concern with Twitter
05:53 - Source: CNN Business
Washington CNN Business  — 

Twitter is exceptionally vulnerable to exploitation by foreign governments in ways that threaten US national security, and may even have foreign spies currently active on its payroll, according to Peiter “Mudge” Zatko, the whistleblower at the center of a massive public disclosure effort reported Tuesday by CNN and The Washington Post.

A combination of weak cybersecurity controls and poor judgment has repeatedly exposed Twitter to numerous foreign intelligence risks, according to Zatko, who was Twitter’s head of security from November 2020 until he was fired in January.

From taking money from untrusted Chinese sources to proposing the company give into Russian censorship and surveillance demands, Twitter execs including now-CEO Parag Agrawal have knowingly put Twitter users and employees at risk in the pursuit of short-term growth, Zatko alleges.

CNN sought comment from Twitter on more than 50 distinct questions in response to the overall disclosure, along with specific questions on the allegations outlined in this story. Twitter did not respond to CNN’s questions on foreign intelligence risks, but a company spokesperson has said Zatko’s allegations overall are “riddled with inconsistencies and inaccuracies, and lacks important context.”

The national security allegations are part of an explosive, nearly 200-page disclosure to Congress, the Justice Department and federal regulators that accuses Twitter’s leadership of covering up critical company vulnerabilities and defrauding the public. Zatko, a longtime cybersecurity expert who has held senior roles at Google, Stripe and the Defense Department, submitted his disclosure to authorities last month after what he described as months of trying unsuccessfully to sound the alarm inside Twitter about the dangers it faced. While the disclosure to Congress is edited to omit sensitive details pertaining to the national security claims, a more comprehensive version with supporting documents has been delivered to the Senate Intelligence Committee and to DOJ’s national security division, according to the disclosure.

Peiter Zatko, known as Mudge in the computer hacking community, poses for a portrait on August 22.

Among its accusations, the whistleblower disclosure claims the US government provided specific evidence to Twitter shortly before Zatko’s firing that at least one of its employees, perhaps more, were working for another government’s intelligence service. The disclosure does not say whether Twitter acted on the US government tip or whether the tip was credible.

The whistleblower disclosure could further inflame bipartisan concerns in Washington about foreign adversaries and the cybersecurity threat they pose to Americans. In recent years, policymakers have worried about authoritarian governments siphoning US citizens’ data from hacked or pliable companies; leveraging tech platforms to subtly influence or sow disinformation among US voters; or exploiting unauthorized access to gather intel on human rights critics and other perceived threats to non-democratic regimes.

Twitter’s alleged flaws could potentially open the door to all three possibilities.

In response to the disclosure, the Senate Intelligence Committee’s top Republican, Marco Rubio, vowed to look further into the allegations.

“Twitter has a long track record of making really bad decisions on everything from censorship to security practices. That’s a huge concern given the company’s ability to influence the national discourse and global events,” Rubio said. “We’re treating the complaint with the seriousness it deserves and look forward to learning more.”

In the months before Russia invaded Ukraine, Agrawal — then Twitter’s chief technology officer — seemed prepared to make significant concessions to the Kremlin, according to Zatko’s disclosure.

Agrawal proposed to Zatko that Twitter comply with Russian demands that could result in broad-based censorship or surveillance, Zatko alleges, recalling an interaction he had with Agrawal at the time. The disclosure does not provide details about exactly what Agrawal suggested. But last summer Russia passed a law pressuring tech platforms to open local offices in the country or face potential advertising bans, a move western security experts have said could give Russia greater leverage over US tech companies.

Parag Agrawal, CEO of Twitter, at the Allen & Company Sun Valley Conference on July 7 in Sun Valley, Idaho.

Agrawal’s suggestion was framed as a way to grow users in Russia, the disclosure says, and while the idea was ultimately discarded, Zatko still saw it as an alarming sign of how far Twitter was willing to go in pursuit of growth, according to the disclosure.

“The fact that Twitter’s current CEO even suggested Twitter become complicit with the Putin regime is cause for concern about Twitter’s effects on U.S. national security,” Zatko’s disclosure says.

Twitter is also in a compromised position in China, the disclosure to Congress claims. The company has allegedly accepted funding from unnamed “Chinese entities” who now have access to information that could ultimately unmask people in China who are illegally circumventing government censorship to view and use Twitter.

“Twitter executives knew that accepting Chinese money risked endangering users in China,” the disclosure says. “Mr. Zatko was told that Twitter was too dependent upon the revenue stream at this point to do anything other than attempt to increase it.”

Zatko’s 80-page disclosure outlining his allegations, along with nearly two dozen additional supporting documents, is becoming public just two weeks after a former Twitter manager was convicted of spying for Saudi Arabia. The former employee had allegedly abused his access to Twitter data to collect information on suspected Saudi dissidents, including their phone numbers and email addresses, and allegedly fed that information to the Saudi government.

That security breach, first uncovered in 2019, underscores the gravity of Zatko’s allegations, which describe Twitter as an extremely porous organization with alarmingly lax cybersecurity controls compared to its corporate peers. In order to do their jobs, roughly half of Twitter employees have excessive permissions granting access to live user data and the active Twitter product, according to the disclosure, a practice Zatko says is a significant departure from the standards of other major tech companies where access is tightly controlled and employees largely work in special sandboxes isolated from the consumer-facing product. “Every engineer” at the company, Zatko alleges, “has a full copy of Twitter’s proprietary source code on their laptop.”

Twitter has told CNN its handling of source code does not fall outside of industry practices, and that Twitter’s engineering and product teams are authorized to access the company’s live platform if they have a specific business justification for doing so.

The company also said it uses automated checks to ensure laptops running outdated software cannot access the production environment, and that employees may only make changes to Twitter’s live product after the code meets certain record-keeping and review requirements.

The disclosure alleges Twitter has trouble reducing its cybersecurity risks because it can’t control, and often doesn’t know, what employees may be doing on their work computers. Data Zatko disclosed from Twitter’s internal cybersecurity dashboards shows that four in 10 employee devices — representing thousands of laptops — do not have basic protections enabled, such as firewalls and automatic software updates. Employees are also able to install third-party software on their computers with few technical restrictions, the disclosure says, which on multiple occasions has allegedly resulted in employees installing unauthorized spyware on their devices at the behest of outside organizations.

In its responses to CNN, Twitter said employees use devices overseen by other IT and security teams with the power to prevent a device from connecting to sensitive internal systems if it is running outdated software.

Twitter has internal security tools that are tested by the company regularly, and every two years by external auditors, according to a person familiar with Zatko’s tenure at the company. The person added that some of Zatko’s statistics surrounding device security lacked credibility and were derived by a small team that did not properly account for Twitter’s existing security procedures.

John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told CNN “we absolutely stand by the contents of Mudge’s disclosure.”

A person using Twitter.

Undue access and limited oversight of employee conduct creates opportunities for insider threats such as the Saudi operative, but the Saudi government wasn’t the only one to seek greater access to Twitter’s internal systems, Zatko alleges.

The Indian government has successfully “forced” Twitter to hire agents working on its behalf, the disclosure says, “who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data.” Twitter has withheld that fact from its public transparency reports, the disclosure adds.

In the past year, the Indian government has pushed to expand its control over social media within its borders, clashing with Twitter over content removals, forcing tech platforms to hire legal and law enforcement liaisons in the country and even conducting raids on Twitter’s local offices. The person familiar with Zatko’s tenure said the Indian government agents the disclosure refers to were in fact the legal and law enforcement liaisons required under Indian law.

Many tech platforms are global enterprises, and in some cases, as with Russia’s attempt to force tech companies to open local headquarters, their employees can become unwitting points of leverage for governments wanting to exert pressure on the companies. Corporate and user data stored on, or accessible by, employee computers can be at risk of being accessed or seized by local authorities. The employees themselves, or their families, may be at risk of being threatened or coerced.

But Twitter’s unique cybersecurity vulnerabilities has meant that its local offices have become particularly sensitive targets, Zatko alleges. India, Nigeria and Russia have all “sought, with varying success, to force Twitter to hire local [full-time employees] that could be used as leverage,” the disclosure says.

Twitter’s business practices don’t just undermine the United States’ interests but those of all democratic nations, the disclosure alleges, citing the company’s handling of a Nigerian government decision to block Twitter for months last year over a presidential tweet that was widely interpreted as a threat against some Nigerian citizens and subsequently removed by Twitter.

Nigeria lifted its ban on Twitter in January, after the government said the social media platform had agreed to all of its conditions. The conditions include adhering to Nigerian laws on “prohibited publication.”

Despite Twitter’s claims to have been in negotiations with Nigeria after it suspended the company, those talks never actually occurred, Zatko alleges. Twitter’s alleged misrepresentations about engaging the Nigerian government not only harmed the company’s investors, the disclosure says, but it also gave Nigerian officials cover to demand far greater concessions from Twitter than the company otherwise would have given.

The concessions, according to Zatko’s disclosure, have “harmed free expression rights and democratic accountability for Nigerian citizens.”