Twitter whistleblower testifies of serious security flaws to Senate

Twitter’s former security chief Peiter “Mudge” Zatko testified to a Senate panel on Tuesday that his former employer prioritized profits over addressing security concerns that he said put user information at risk of falling into the wrong hands.

“It’s not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room,” Zatko told members of the Senate Judiciary Committee, less than a month after his whistleblower complaint was publicly reported.

Zatko testified that Twitter lacked basic security measures and had a freewheeling approach to data access among employees, opening the platform to major risks. As he wrote in his complaint, Zatko said he believed an agent of the Indian government managed to become an employee at the company, an example of the consequences of lax security practices.

The testimony adds fuel to the criticism by legislators that major tech platforms put revenue and growth goals over user protection. While many companies have flaws in their security systems, Twitter’s unique position as a de facto public square has amplified Zatko’s revelations, which took on extra significance given Twitter’s legal spat with Elon Musk.

Musk sought to buy the company for $44 billion but then tried to back out of the deal, claiming Twitter should have been more forthcoming with information about how it calculates its percentage of spam accounts. A judge in the case recently said Musk could revise his counterclaims to reference issues Zatko raised.

A Twitter spokesperson disputed Zatko’s testimony and said the company uses access controls, background checks and monitoring and detection systems to control access to data.

“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the spokesperson said in a statement, adding that the company’s hiring is independent from foreign influence.

Here are the key takeaways from Zatko’s testimony

According to Zatko, Twitter’s systems are so disorganized that the platform can’t say for sure if it’s deleted a users’ data entirely. That’s because Twitter hasn’t tracked where all that data is stored.

“They don’t know what data they have, where it lives or where it came from, and so, unsurprisingly, they can’t protect it,” Zatko said.

Karim Hijazi, CEO of cyber intelligence firm Prevailion, said large organizations like Twitter often experience “infrastructure drift,” when people come and go, and different systems are sometimes neglected.

“It tends to be a little bit like someone’s garage over time,” said Hijazi, who previously served as director of intelligence at Mandiant, now owned by Google. “Now the problem is, unlike a garage where you can go in and you can start pulling it all apart sort of methodically … you can’t simply wipe away the database because it’s a patchwork quilt of new information and old information.”

“That was quite surprising for a big tech firm like Twitter to not have the basics,” Hijazi said. Even the smallest little startups in the world that have started seven and a half weeks ago have a dev, staging and production environments.”

Chris Lehman, CEO of SafeGuard Cyber and a former FireEye vice president, said “that would be shocking to me” if it’s true Twitter doesn’t have a staging environment.

He said “most mature organizations” would have this step to prevent systems from breaking on the live website.

“Without a staging environment, you create more opportunities for bugs and for problems,” Lehman said.

Zatko said the lack of understanding of where data lives means employees also have far more access than they should to Twitter’s systems.

“It doesn’t matter who has keys if you don’t have any locks on the doors,” Zatko said.

Engineers, who make up a large portion of the company, are given access to Twitter’s live testing environment by default, Zatko claimed. He said that type of access should be restricted to a smaller group.

With so many employees having access to important information, the company is vulnerable to problematic activities like bribes and hacks, Hijazi and Lehman said.

Zatko told Sen. Richard Blumenthal, D-Conn., that a $150 million settlement like the one Twitter reached with the FTC in May over allegations it misrepresented how it used contact information to target ads, would be insufficient to deter the company from bad security practices.

Subscribe to CNBC on YouTube.

WATCH: The changing face of privacy in a pandemic