Twitter Concealed Known Security Flaws

Uploaded on 2022-08-29 in TECHNOLOGY-Key Areas-Social Media, FREE TO VIEW

US social media giant Twitter has been accused of hiding major security flaws. A whistleblower has spken out to accuse Twitter of consistently lying to customers and government  officials about its attempts to repair its users data security.

While caught up in a legal battle against Elon Musk, Twitter’s former security chief until January of this year has blown the whistle on how the social media platform handles cyber security. 

Former Chief Security Officer, Peiter Zatko, has accused Twitter of severe cyber security mismanagement in a complaint filed to the US Securities and Exchange Commission (SEC) filed on July 6.  Zatko alleges that the company has been hiding the spam and bots problem which began to emerge in the dispute between the social media giant and Elon Musk.

Twitter does not know how many fake, bots or spam automated accounts it has, according to allegations by its former head of security.

Peiter Zatko's is one of the world’s most famous hackers and leading cyber security experts and has now become a whistleblower and submitted a string of allegations of repeated security violations by his former employer Twitter.
Peiter Zatko's revelations, have been seized upon by lawyers for Elon Musk, who is trying to end his bid to buy Twitter, disputing its information on the number of fake accounts it has.

Twitter says Zatko's allegations contain many inaccuracies and inconsistencies and that he was sacked in January for ineffective leadership and poor performance.

Twitter has been in a dispute with Musk since the Tesla and SpaceX CEO’s decided to abandon a deal to purchase the site for $44 billion earlier this year. Musk said he no longer wished to purchase the company, as he could not verify how many humans were on the platform, while Twitter says it estimates that fewer than 5% of its daily active users are bot accounts.

Musk has said the social media company is heavily undercounting the number of spam and bot accounts on its platform as a primary reason he’s backing out. 

According to Zatko, Twitter's management have little incentive to accurately identify or report total spam bots on the platform. In a redacted copy of the SEC filing seen by CBS news, Zatko criticises Twitter's methodology for calculating the number of spam-bots. He claims he was unable to obtain from Twitter an "upper bound" for the number of bots, accusing senior management of having "no appetite to properly measure the prevalence of bots".

  • According to the Washington Post, the complaint "provides little hard evidence" to back up his assertions about bots and spam, although these allegations may be useful to Musk in his legal argument to withdraw from buying Twitter.
  • According to Mr Zatko's lawyer, he started the whistleblowing process before Musk began his  attempts to buy the platform became public, and has made no contact with Musk.
  • Alex Spiro, an attorney for Musk, told CNN it had issued a subpoena for Mr Zatko to be a potential witness. 

Twitter's server infrastructure is another equally serious vulnerability, the SEC filing claims. About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors.

Washington Post:   BBC:     CNN:    Oodaloop:     FT:   Independent:   Yahoo:    PressTV

You Might Also Read: 

Twitter, Free Speech & Disinformation:

 

« Detect Spoofing Before Your Organisation Suffers Fraud
Healthcare Ransomware Attacks Have Almost Doubled »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

SecWest

SecWest

SecWest is the organizer of CanSecWest, PACSEC, originator of PWN2OWN, security auditing, and virtual engagement/training.

IntaForensics

IntaForensics

IntaForensics offer a full range of digital investigation services and are able to adapt to the individual needs of solicitors, private clients, Law Enforcement Agencies and commercial businesses.

Cyber DriveWare

Cyber DriveWare

DriveWare analyzes new traffic in the I/O layer and blocks malware and cyber attacks which organizations have no means to protect against.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

Neurosoft

Neurosoft

Neursoft is a fully integrated ICT company with Software Development, System Integration and Information Technology Security capabilities.

Sera-Brynn

Sera-Brynn

Sera-Brynn is one of the highest-ranked, pure-play cybersecurity compliance and advisory firms in the world.

Risk Ident

Risk Ident

RISK IDENT specializes in supporting enterprises in identifying and preventing criminal activity like payment fraud, account takeovers and identity theft.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Cranfield University

Cranfield University

Cranfield Defence and Security are at the forefront of their fields, offering capabilities ranging from cyber security and digital warfare to robotics, forensic sciences and simulation and analytics.

Cloud4C

Cloud4C

Cloud4C is a leading automation-driven, application focused cloud Managed Services Provider.

Cyera

Cyera

Cyera is the data security company that gives businesses context and control over their most valuable asset: data.

Cloudflare

Cloudflare

Cloudflare is a global network designed to make everything you connect to the Internet secure, private, fast, and reliable.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

SecurityLoophole

SecurityLoophole

SecurityLoophole is an independent cyber security news platform with global coverage. Latest updates, reports, news and events related to cyber security.

Foresiet

Foresiet

Foresiet is the first platform to cover all of your digital risks, allowing enterprise to focus on the core business.

Aquia

Aquia

Aquia are on a mission to enable innovation and drive transformative change to solve the world’s most pressing and complex cybersecurity challenges.