Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ex-Security Chief Accuses Twitter of Hiding Major Flaws

Twitter misled users and federal regulators about glaring weaknesses in its ability to protect personal data, the platform’s former security chief claimed in whistleblower testimony likely to impact the company’s bitter legal battle over Elon Musk’s takeover bid.

Twitter misled users and federal regulators about glaring weaknesses in its ability to protect personal data, the platform’s former security chief claimed in whistleblower testimony likely to impact the company’s bitter legal battle over Elon Musk’s takeover bid.

In a complaint filed with the US Securities and Exchange Commission and published in part Tuesday by The Washington Post and CNN, Peiter Zatko also accused Twitter of significantly underestimating the number of automated bots on the platform — a key element in Musk’s argument for withdrawing his $44 billion buyout deal.

CNN quotes the disclosure by Zatko as accusing Twitter of “negligence, willful ignorance, and threats to national security and democracy.”

Zatko, who Twitter says it fired earlier this year for poor performance, warns of obsolete servers, software vulnerable to computer attacks and executives seeking to hide the number of hacking attempts, both to US authorities and to the company’s board of directors.

The hacker-turned-executive, who goes by the nickname “Mudge,” also claims that Twitter prioritizes growing its user base over fighting spam and bots, according to the reports.

In particular, according to The Washington Post, he accuses the platform’s boss Parag Agrawal of “lying” in a tweet in May.

In the tweet, Agrawal says Twitter is “strongly incentivized to detect and remove as much spam as we possibly can.”

Twitter has dismissed the allegations.

Advertisement. Scroll to continue reading.

A company spokesperson told AFP Tuesday that Zatko was fired in January this year for “ineffective leadership and poor performance.”

“What we’ve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context,” the spokesperson said in a statement.

The “opportunistic timing” of the allegations appears “designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” the statement continued.

“Security and privacy have long been company-wide priorities at Twitter and will continue to be.”

– Subpoena by Musk –

The issue of fake accounts is at the heart of the legal battle between Twitter and Tesla chief Musk.

The billionaire has repeatedly accused the company of minimizing the number of fake accounts and spam on its platform.

Musk is relying on the argument to justify abandoning his plan to buy Twitter for $44 billion and avoid paying severance.

CNN said Zatko had not been in contact with Musk, and that he had begun the whistleblower process before there was any sign of the billionaire’s involvement in Twitter.

“We have already issued a subpoena for Mr. Zatko, and we found his exit and that of other key employees curious in light of what we have been finding,” Musk’s lawyer Alex Spiro told AFP on Tuesday.

The Washington Post and CNN both reported that the US Senate Intelligence Committee wants to meet with Zatko to discuss his accusations.

Zatko was hired in late 2020 by the founder and former boss of Twitter, Jack Dorsey, after a massive hack which saw the accounts of major users including Joe Biden, Barack Obama, reality star Kim Kardashian and Musk himself compromised.

Related: Can Elon Musk Spur Cybersecurity Innovation at Twitter?

Related: Twitter Says it Removes 1 Million Spam Accounts a Day

Related: Twitter to Pay $150M Penalty Over Privacy of Users’ Data

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.