Zakto further argues that Twitter does not have a comprehensive development or testing environment to pilot new features and system updates before they are rolled out to the software. As a result, Zatko describes a situation where engineers will work alongside live systems and “test directly on commercial service, leading to regular service failures.” The documents allege that half of Twitter’s employees had privileged access to live production systems and unmonitored user data to be able to detect any fraudulent activity or track unwanted activity. Zatko’s complaint describes Twitter as having about 11,000 employees. Twitter says it currently has about 7,000 employees.
The complaints allege that these poor security practices explain Twitter’s track record of security incidents, data breaches and malicious takeovers of user accounts.
“We are looking into the redacted claims that have been published,” said Twitter CEO Parag Agrawal. wrote in a message to Twitter staff this morning. “We will pursue all avenues to protect our integrity as a company and set the record straight.”
Twitter says all employee computers are centrally managed and that IT can force updates or restrict access if updates aren’t installed. The company also said that before a computer can connect to production systems, it must pass an audit to ensure its software is up-to-date and that only employees with a “business justification” can access the production environment for “specific purposes.” »
Al Sutton, co-founder and CTO of Snapp Automotive, served as Twitter’s full-time software engineer from August 2020 to February 2021. He noted in a tweet on Tuesday that Twitter had never removed him from the GitHub staff group, which can make changes to the coding software the company runs on the development platform. Sutton had access to the private vaults for 18 months after being let go from the company, and he posted evidence that Twitter uses GitHub not only for public open source work, but also for internal projects. About three hours after reporting Sutton’s access reported that it was cancelled.
“I think Twitter is pretty casual about Mudge’s claims, so I thought a verifiable example might be helpful for people,” he told WIRED. When asked whether Zatko’s allegations were consistent with his own experience at Twitter, Sutton added, “I think the best thing to say here is that I have no reason to doubt his claims.”
Security engineers and researchers point out that while there are various ways to secure a production environment, there is a conceptual problem with employees having broad access to user data and deployed code without extensive logging. Some organizations take an approach of drastically limiting access, while others use a combination of increased access and constant monitoring, but either option should be a conscious choice in which the company invests heavily. For example, after the Chinese government cracked down on Google in 2010, the company went all-in on the old approach.
“It’s actually not that unusual for companies to have relatively liberal policies about giving engineers access to production systems, but when they do, they’re very, very strict about logging everything that’s done,” says Perry Metzger, managing partner of the consultancy of Metzger, Dowdeswell & Company. “Madge has a great reputation, but let’s just say he was totally incompetent. It would be easiest for them to provide the technical details of the recording systems they use for engineer access to production systems. But what Mudge portrays is a culture where people would rather hide things than fix them, and that’s the disturbing part.’
Zatko and Whistleblower Aid, the nonprofit legal group representing him, say they support the documents released Tuesday. “Twitter has a huge impact on the lives of hundreds of millions of people around the world, and it has a fundamental obligation to its users and governments to provide a safe and secure platform,” said Libby Liu, CEO of Whistleblower Aid.
However, for now, the allegations raise a number of serious issues that seem unlikely to be quickly explained or comprehensively resolved.