During a Senate Judiciary Committee hearing titled “Data Security at Risk: Testimony from a Twitter Whistleblower,” famed ethical hacker and former head of Twitter security Peiter “Mudge” Zatko answered questions on the trove of alleged Twitter security vulnerabilities that were made public in a whistleblower disclosure last month.
In the disclosure, Mudge, who worked at Twitter from November 16, 2020 till January 19, 2022, suggested that Twitter had been penetrated by foreign intelligence agencies multiple times, accused Twitter employees of repeatedly installing spyware on their work computers at the request of external organizations, and alleged that around half of Twitter’s employees were given access to sensitive data.
And during his testimony today, Mudge shared numerous stories and learnings from his time at Twitter to illustrate the potential implications of the current state of the company’s security.
Here are the key claims Mudge made while testifying:
1. At least one Chinese intelligence agent has penetrated Twitter
During his testimony, Mudge commented on the Federal Bureau of Investigation (FBI) notifying Twitter that one of its employees was suspected of being a Chinese foreign asset.
“This was made aware to me maybe a week before I was surprised and…summarily dismissed,” Mudge said. “I had been told because the corporate security, physical security team had been contacted and told that there was at least one agent of the MSS [Ministry of State Security], which is one of China’s intelligence services, on the payroll inside Twitter.”
Mudge added that this revelation was “disturbing to hear” but said the “state of the environment at Twitter” made it very difficult to detect foreign agents inside the company.
2. Twitter’s security practices make it difficult to track the level of penetration by bad actors and foreign agents
Mudge testified that Twitter did not have a development or staging environment (a separate development environment that’s used to test software changes before they’re pushed to the main platform) while he was with the company, something he described as “an oddity” and “an exception to the norm.” As a result, he said Twitter engineers, which represent around half of Twitter’s workforce, are given some access to Twitter’s live production environment which contains live data.
“If you are a foreign agent and you are hired and you are an engineer, you’ve got access to all that data that we talked about,” Mudge said.
Mudge also claimed that Twitter’s lack of logging made it “extremely difficult” to track employees that were identified as foreign agents.
“There was a lack of logging and inability to see what they were doing, what information was being accessed, or to contain their activities, let alone set steps for remediation and possible reconstitution of any damage,” Mudge said. “They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”
He noted that most other companies have logs that show attempted logins, employee activities on the system, the time of these activities, and other data that reveals what’s happening on their systems.
“Later on in my tenure, I learned that there were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing,” Mudge said. “This fundamental lack of logging inside Twitter is…a remanent of being so far behind on their infrastructure and the engineering.”
Mudge claimed that Twitter’s lack of effort around logging was because the company prioritizes other efforts such as driving revenue.
3. A Twitter employee could take over the accounts of all the Senators on the Committee
During his opening statement, Mudge said Twitter employees have “too much access to too much data and to too many systems” and noted that this level of access could allow them to take over high-profile accounts, including those of US senators.
“It’s not far-fetched to say that an employee inside the company could take over all the accounts inside this room,” Mudge said.
4. Twitter employees can easily surveil users’ real-time location data
When answering a question about the amount of data Twitter collects, Mudge recalled an incident about a Twitter user harassing some members of Twitter’s executive team and its board. He said that after Twitter’s Chief Technology Officer (CTO) asked him who the user was, a Twitter employee was able to gather massive amounts of data on the user within 10 minutes.
Specifically, Mudge said the Twitter employee provided him with data on “who they are,” “the address where they live,” “where they are physically at this moment,” the device they were using at that moment, their phone number, all the accounts they’ve tried to set up on Twitter, and their accounts on other social media platforms.
When answering another question, Mudge added that Twitter also collects users’ current Internet Protocol (IP address), previous IP addresses, current email address, previous email addresses, device information, web browser information, and language information.
5. Twitter is unable to delete data
Mudge elaborated on a claim in his whistleblower disclosure that Twitter’s Head of Privacy engineering and Chief Privacy Officer had told the board of directors that Twitter’s “inability to delete data” compounds the risk of “inappropriate access or use of data” because Twitter retains “data we should not have and which is therefore accessible by people who do not need to have access to this data.
Mudge noted that if a Twitter account is deleted, Twitter can’t be sure that the data associated with the account is actually deleted because “you don’t know where else this data lives in systems because you don’t know what data you have and where it is.” This state of affairs, according to Mudge, makes Twitter unable to delete data.
You can watch the full hearing here.