Twitter whistleblower testifies to Senate of major security flaws: ‘They don’t know what they have’

Twitter’s former security chief Peter “Mudge” Zatko testified before a Senate panel on Tuesday that his former employer prioritized profits over addressing security concerns that he said put user information at risk of falling into the wrong hands.

“It’s not an exaggeration to say that an employee of the company could take over the accounts of all the senators in this room,” Zatko told members of the Senate Judiciary Committee, less than a month after his whistle-blowing complaint was made public .

Zatko testified that Twitter lacks basic security measures and has a lax approach to data access among employees, exposing the platform to major risks. As he wrote in his complaint, Zatko said he believes an Indian government agent managed to become an employee at the company, an example of the consequences of lax security practices.

The testimony adds fuel to criticism from lawmakers that big tech platforms are putting revenue and growth goals ahead of consumer protections. While many companies have gaps in their security systems, Twitter’s unique position as a de facto public square amplified Zatko’s revelations, which took on added significance given Twitter’s litigation with Elon Musk.

Musk tried to buy the company for $44 billion, but then tried to back out of the deal, claiming Twitter should have been more forthcoming with information about how it calculated its percentage of spam accounts. A judge in the case recently said Musk could revise his counterclaims to address issues raised by Zatko.

A Twitter spokesperson disputed Zatko’s testimony and said the company uses access controls, background checks and monitoring and detection systems to control access to data.

“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the spokesman said in a statement, adding that the company’s hiring was independent of foreign influence.

Here are the main takeaways from Zatko’s testimony

According to Zatko, Twitter’s systems are so disorganized that the platform cannot say for sure whether it has completely deleted users’ data. That’s because Twitter hasn’t tracked where all that data is stored.

“They don’t know what data they have, where he lives or where he comes from, so it’s not surprising that they can’t protect him,” Zatko said.

Karim Hijazi, CEO of cyber-intelligence firm Prevailion, said large organizations like Twitter often experience “infrastructure drift” as people come and go and different systems are sometimes neglected.

“Over time, it looks a bit like somebody’s garage,” said Hijazi, who previously served as director of intelligence at Mandiant, now owned by Google. “The problem now is that unlike a garage where you can go into a garage and start taking it apart kind of methodically… you can’t just delete the database because it’s a mosaic of new and old information.”

Removing some parts without knowing for sure whether they are critical parts could risk bringing down the broader system, Hijazi said.

But security experts expressed surprise at Zatko’s testimony that Twitter didn’t even have an environment for testing updates, an intermediate step that engineers can take between a development environment and a production environment to fix problems with its code before to play it live.

“It was quite surprising for a big tech company like Twitter not to have the basics,” Hijazi said. Even the tiniest little startups in the world that launched seven and a half weeks ago have a development environment, a staging environment, and a production environment.”

Chris Lehman, CEO of SafeGuard Cyber ​​and former vice president of FireEye, said “it would be shocking to me” if it were true that Twitter did not have a staging environment.

He said the “most mature organizations” will have this step in place to prevent the systems from breaking the live website.

“Without a stage environment, you create more opportunities for mistakes and problems,” Lehmann said.

Zatko said the lack of understanding of where the data lives means employees also have far more access than they should to Twitter’s systems.

“It doesn’t matter who has the keys if you don’t have locks on the doors,” Zatko said.

Engineers, who make up a large part of the company, get access to Twitter’s live testing environment by default, Zatko said. He said this kind of access should be limited to a smaller group.

Because so many employees have access to sensitive information, the company is vulnerable to problematic activities such as bribery and hacking, Hijazi and Lehmann said.

One-time fines, which often result from settlements with U.S. regulators such as the Federal Trade Commission, are not enough to incentivize stricter security practices, Zatko testified.

Zatko told Sen. Richard Blumenthal, D-Conn., that a $150 million settlement like the one Twitter reached with the Federal Trade Commission in May over allegations it misrepresented how it used contact information to target ads would be insufficient , to deter the company from poor security practices.

The company, he said, would be much more concerned about European regulators, who could impose more permanent measures.

“While I was there, the concern was really only about a significantly higher amount,” Zatko said. “Or if it would have been a greater risk of institutional restructuring. But that amount wouldn’t matter much while I was there.’

Despite the flaws, users shouldn’t necessarily feel pressured to delete their accounts, Zatko and other security experts said.

“People can always choose to just disconnect,” Lehmann said. “But the reality is that social media platforms are platforms for dialogue. And they are the new town square. It serves the public good. I think it would be bad if people just stopped using it.”

Hijazi said there was no point in hiding.

“That’s impossible nowadays,” he said. “However, I think the naivete to believe that these organizations are really in control of this and actually have protected information is wrong.”

Subscribe to CNBC on YouTube.

WATCHING: The changing face of privacy in a pandemic