A ticking bomb of security vulnerabilities. Concealing security flaws. Misleading regulators and misleading legislators.
Those were just some of the allegations when former Twitter security chief-turned-whistleblower Peter Zatko testified before the Senate Judiciary Committee on Tuesday, less than a month after the release of his explosive whistleblower complaint submitted to federal regulatory authorities. Zatko, better known as Mudge, made his first comments since his complaint was made public.
Twitter did not respond to a request for comment.
These are the key takeaways from Mudge’s testimony to lawmakers and what we learned from Tuesday’s hearing.
The FBI has warned Twitter that it has a Chinese spy on staff
Senator Chuck Grassley, the ranking member of the Senate Judiciary Committee, said in opening remarks that the FBI had warned Twitter that it might have a Chinese spy on its payroll.
A redacted version of Mudge’s whistleblower complaint has been posted last month said Twitter had received specific information from the US government that “one or more employees of a specific company were working on behalf of another specific foreign intelligence agency.” The nationalities of the foreign intelligence agents were not disclosed at the time.
But Mudge told the panel that the spy was an agent of China’s Ministry of State Security, or MSS, the country’s main intelligence agency. He added that because Twitter’s engineers — about 4,000 employees — have broad access to company data, a foreign agent hired as an engineer would have access to personal user information and potentially other sensitive company information, such as Twitter’s plans to censor information. in a certain region or to obey the demands of the government. But since Twitter did not closely monitor or log employee accessaccording to his complaint, Mudge said it was “very difficult” to identify what specific data was taken by Twitter employees as foreign agents.
The Chinese Spy was not the only agent of a foreign government on Twitter’s payroll. Mudge said in his complaint that the Indian government “manages to place agents on the company’s payroll” who are granted “direct, unsupervised access to the company’s systems and user data.” In August, a former Twitter employee was found guilty of spying for the Saudi government and transmission user data of suspected dissidents.
Thousands of attempts to hack Twitter every week
A common theme in Mudge’s complaint is that Twitter there was no visibility to know what data engineers have accessed or what user data or company information they have accessed. But one system that tracks logins for Twitter engineers found it was logging “thousands” of failed attempts to log into Twitter’s systems each week, Mudge told members of Congress.
Mudge said in his complaint that the company was seeing up to 3,000 failed attempts every day, describing it as a “huge red flag”. Mudge said Twitter’s then-CTO Parag Agrawal — now CEO — did not assign anyone to diagnose or fix the problem, the complaint added.
“This fundamental lack of Twitter logging is a holdover from them being so behind in their infrastructure, their engineering, and the engineers not being given the opportunity to put things in place to modernize,” Mudge testified.
What Twitter knows about its users and why spies want it
Given the focus on Twitter’s apparently lax controls on access to users’ information, lawmakers asked Mudge what specific kind of data Twitter collects from its users. Mudge said Twitter doesn’t fully understand the scale of the data it collects.
He said that among the data Twitter collects includes: a user’s phone number, current and past IP addresses from which the user connects, current and past email addresses, the person’s approximate location based on IP addresses and device information, or the person’s browser they have access to Twitter, such as the user’s make and model and language.
Mudge said it’s possible the engineers could access that information and be an attractive target for foreign intelligence agencies. One reason he cites is that it would be useful for governments to target specific groups and monitor what Twitter knows about their agents or information operations.
Mudge also warned that user information on Twitter could be used to harass or target individuals as part of real-world influence operations, such as a family member or colleague, and used as leverage to influence people close to them , without them knowing. “It can be used with other data collection,” Mudge told lawmakers, citing past violations including mass theft of health data and personal records of the US government, such as the breach of 22 million records from the US Office of Personnel Management in 2012. Mudge told lawmakers that his own OPM file was stolen in the breach when he worked for the federal government.
US government agencies allow companies to ‘assess their own homework’
Mudge’s complaint and subsequent testimony came just months later Twitter paid $150 million in settlement with the Federal Trade Commission for violating its 2011 privacy agreement after the company used email and phone data to protect their accounts, but after uses the same information for targeted advertising.
Mudge told lawmakers that while government agencies have a responsibility to enforce the law and that they have the right intentions, he accused the Federal Trade Commission of being “a little over the top” by allowing companies to “rate their own homework.” In response to a question from Sen. Richard Blumenthal, Mudge referred to the 2011 confidentiality agreement and asked, “How [has Twitter] have you passed by it?’
Speaking about regulators and their enforcement powers, Mudge told lawmakers, “What I’ve seen is the tools on the toolbar are not working.”