Peiter Zatko, who served as Twitter’s head of cybersecurity, has filed a complaint with federal agencies and bolstered Elon Musk’s claims.
Zatko is the famous and well-respected hacker who goes by the handle “Mudge.” He served as Twitter’s cybersecurity head from late 2020, when he was hired by then-CEO Jack Dorsey until he was fired by the current CEO at the beginning of 2022. According to The Washington Post, he claims the company and CEO Parag Agrawal is intentionally misleading investors and regulators about the state of its security and its issues with spam bots.
“Agrawal’s Tweets and Twitter’s previous blog posts misleadingly imply that Twitter employs proactive, sophisticated systems to measure and block spam bots,” the complaint says. “The reality: mostly outdated, unmonitored, simple scripts plus overworked, inefficient, understaffed, and reactive human teams.”
That statement, as well as the complaint in general, will certainly bolster Elon Musk’s case against Twitter. The tech mogul is trying to back out of his deal to purchase the social media company based on his belief the company is not being truthful about the scope of its spam bot issues. He also claims the company has misled investors.
Read more: Elon Musk Accuses Twitter of Running a ‘Scheme’
Zatko also claims to have found multiple instances where Twitter was in violation of a 2011 settlement with the FTC, failing to implement security measures and properly protect users, as it had been ordered to do. While Twitter claims to have complied with its obligations, the sheer number of security breaches the company has faced — not to mention the ease with which the breaches occurred — lends weight to Zatko’s claims.
“If all of that is true, I don’t think there’s any doubt that there are order violations,” David C. Vladeck told the Post in an interview. Vladeck is now a Georgetown Law professor but previously served as director of the FTC’s bureau of consumer protection when the settlement was reached in 2011. “It is possible that the kinds of problems that Twitter faced eleven years ago are still running through the company.”
The complaint alleges Twitter has exceptionally poor security policies in place, policies that leave the company, its intellectual property, and its customers vulnerable to bad actors. Roughly 30% of the company’s laptops allegedly would not automatically update software to receive the latest security fixes. Even worse, Zatko says thousands of laptops had full copies of Twitter’s source code on them, a scenario that is a dream come true for hackers. Why waste time trying to penetrate a carefully secured and protected programming repository when stealing one of the thousands of available laptops will yield the same result?
See also: Elon Musk’s Twitter Cancellation Letter
“It’s near-incredible that for something of that scale there would not be a development test environment separate from production and there would not be a more controlled source-code management process,” Tony Sager, former chief operating officer at the cyberdefense wing of the National Security Agency, told the Post. “Almost any attack scenario is fair game and probably easily executed.”
The Post interviewed more than a dozen current and former employees for context. While some did say the company deployed extensive measures to fight spam, many agreed with much of Zatko’s complaint regarding the general state of security and dysfunction within the company.
For his part, Zatko sees blowing the whistle on Twitter as the final step in completing the job he was hired to do.
“This would never be my first step, but I believe I am still fulfilling my obligation to Jack and to users of the platform,” Zatko said. “I want to finish the job Jack brought me in for, which is to improve the place.”