Twitter whistleblower alleges ‘egregious deficiencies’ in security measures

theguardian.com:

Twitter’s former head of security has accused the company of “extreme, egregious deficiencies” in its handling of user information and spam bots in a scathing whistleblower complaint.

Peiter Zatko, a veteran hacker and security expert known as “Mudge”, says the company has deceived users, board members and the federal government about the strength of its security measures. Zatko was hired in 2020 by the Twitter co-founder and then CEO Jack Dorsey to strengthen the company’s security after a mass hack targeted 130 high-profile Twitter accounts.

“Twitter is grossly negligent in several areas of information security,” Zatko wrote in an analysis written in February that was included in the complaint. “If these problems are not corrected, regulators, media and users of the platform will be shocked when they inevitably learn about Twitter’s severe lack of security basics.”

Zatko filed the complaint, which was first reported by the Washington Post and CNN on Tuesday morning, to the Securities and Exchange Commission (SEC), Department of Justice and the Federal Trade Commission (FTC). A redacted version of the complaint has been sent to multiple congressional committees.

The filing alleges that Twitter has violated its 2011 settlement with the FTC where the company said it would create an extensive security plan to protect users’ personal information. Zatko says that user data, including those coming from Twitter’s most high-profile verified handles, are vulnerable to hacks.

A specific issue Zatko raises is the access that thousands of Twitter employees have to the company’s core software and the low security he sees many of their hardware have. The complaint alleges that about 30% of laptops in the company automatically blocked