Mudge Blows Whistle on Alleged Twitter Security Nightmare

  /     /     /  
Publicated : 23/11/2024   Category : security


Mudge Blows Whistle on Alleged Twitter Security Nightmare


Lawmakers and cybersecurity insiders are reacting to a bombshell report from former Twitter security head Mudge Zatko, alleging reckless security lapses that could be exploited by foreign adversaries.



Twitters former head of security has blown the whistle on what he characterizes as sprawling cybersecurity weaknesses, including vulnerabilities that could lay the social media platform open to cyberattacks that could have major national-security implications.
Thats the allegation from Peiter Mudge Zatko, who sent a 200+-page disclosure to Congress detailing issues that he claims could allow foreign manipulation of users, account hacking and espionage, and disinformation campaigns ahead of the 2022 US midterm elections.
The disclosure, obtained exclusively by CNN and The Washington Post, most explosively alleges that the tech giant has one or more employees that are actually plants working for foreign intelligence, and that top execs have actively engaged in a cover-up of Twitters serious security holes.
Zatko, who has a decades-long history and reputation in the ethical hacking space, laid out an internal scene where mismanagement and a lack of cohesive security oversight allows over-permissioned access to the companys most sensitive information and control platforms, while bots (disinformation-focused and otherwise) run amok and corporate leadership looks the other way. To boot, Zatko said that Twitter CEO Parag Agrawal told him to make his reports on Twitters security problems rosier than they deserved to be, and that he was directed to omit damning data in order for the company to appear to be making progress on the security and
privacy fronts
.
When it comes to privacy, Zatko also alleged that Twitter does not steward user information well, often losing track of it or not deleting data when its required to do so (such as when a user cancels an account).
The allegations certainly fall in the bombshell category, but some in the security community are unsurprised by the claims, especially given the infamous compromise of verified accounts in 2020 by an attacker who was able to access Twitters internal control platforms.
From research that I coordinated after the
2020 incident
, it was obvious that Twitter did not have appropriate
privileged user management controls
nor separation of duty policies for developers and administrators of their systems, says Aaron Turner, chief technology officer of SaaS Protect at Vectra. If Mudges disclosure is correct, that Twitter has a significant system hygiene problem combined with the user management controls and policies, then Twitters entire platform is at risk of compromise.
For its part, Twitter denies the allegations and claims Zatko should be discredited given that he was fired in January for poor performance.
Mr. Zatko was fired from his
senior executive role at Twitter
in January 2022 for ineffective leadership and poor performance, a Twitter spokesperson
told CNN
. Mr. Zatkos allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
Agrawal weighed in on Tuesday, saying in a
corporate memo posted on Twitter
that the company is reviewing the claims. What weve seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context, he wrote.
Lawmakers, Cybersecurity Community React
Where the truth lies could come to light sooner rather than later, given that Zatkos report has gotten the attention of lawmakers on both sides of the aisle. Senate Judiciary Chair Sen. Dick Durbin (D-Ill.) said that he will take further steps as needed to get to the bottom of these alarming allegations. …The claims Ive received from a Twitter whistleblower raise serious national security concerns.
Sen. Chuck Grassley (R-Iowa), ranking member of the Judiciary Committee, told CNN that the allegations should raise very loud alarm bells.
Take a tech platform that collects massive amounts of user data, combine it with what appears to be an incredibly weak security infrastructure, and infuse it with foreign state actors with an agenda, and youve got a recipe for disaster, he said. The claims Ive received from a Twitter whistleblower raise serious national security concerns as well as privacy issues, and they must be investigated further.”
Casey Ellis, founder and CTO at Bugcrowd, said the scrutiny will hopefully prompt a larger discussion around how much oversight, scrutiny, and regulation that social media platforms should have.
I cant speak to the specifics of the disclosures themselves, but I’m definitely pleased to see this prompting a discussion around the critical infrastructure characteristics of social media platforms and the implications this has on security and privacy — especially as the US approaches midterms and sets itself up for the 2024 election. It seems clear that this categorization as critical infrastructure is something Twitter and other social platforms wish to avoid, but it is a conversation we need to have.
Meanwhile, members of the cybersecurity community have rallied around Zatko, pointing to his character and track record for integrity.
Mudge has a long and rock-solid reputation of putting integrity first. Hes also one of those infosec elders who rarely sticks their neck out to make a fuss, but when they do its almost certainly worth paying attention to, Ellis tells Dark Reading. This dates back to
the L0pht testimony
in 1998, which was a warning to Congress about computer insecurity well before its time. Judging by the
way the infosec community has closed ranks
around Mudge this morning, others clearly feel the same way. Infosec doesnt suffer fools and has a keen eye for sensationalism, and I think the reaction today speaks very strongly to both his character and the claims themselves.
Turner echoes those sentiments.
Ive known Mudge since his days at
Cult of the Dead Cow
, says Turner. When I was at Microsoft, he and the @stake team helped us fundamentally improve our security strategy and tactics. As Ive worked across government projects over the last 20 years, I would say that
his work at DARPA
made a significant difference in the way that the US government approached cybersecurity. He has always had the highest level of integrity and also adheres to the highest technical standards of development and operation of systems. If Mudge says that Twitter has cybersecurity problems, Twitter has some big problems.
Twitter did not immediately respond to a request for comment from Dark Reading on the allegations.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Mudge Blows Whistle on Alleged Twitter Security Nightmare