Twitter Concealed Known Security Flaws

US social media giant Twitter has been accused of hiding major security flaws. A whistleblower has spken out to accuse Twitter of consistently lying to customers and government  officials about its attempts to repair its users data security.

While caught up in a legal battle against Elon Musk, Twitter’s former security chief until January of this year has blown the whistle on how the social media platform handles cyber security. 

Former Chief Security Officer, Peiter Zatko, has accused Twitter of severe cyber security mismanagement in a complaint filed to the US Securities and Exchange Commission (SEC) filed on July 6.  Zatko alleges that the company has been hiding the spam and bots problem which began to emerge in the dispute between the social media giant and Elon Musk.

Twitter does not know how many fake, bots or spam automated accounts it has, according to allegations by its former head of security.

Peiter Zatko's is one of the world’s most famous hackers and leading cyber security experts and has now become a whistleblower and submitted a string of allegations of repeated security violations by his former employer Twitter.
Peiter Zatko's revelations, have been seized upon by lawyers for Elon Musk, who is trying to end his bid to buy Twitter, disputing its information on the number of fake accounts it has.

Twitter says Zatko's allegations contain many inaccuracies and inconsistencies and that he was sacked in January for ineffective leadership and poor performance.

Twitter has been in a dispute with Musk since the Tesla and SpaceX CEO’s decided to abandon a deal to purchase the site for $44 billion earlier this year. Musk said he no longer wished to purchase the company, as he could not verify how many humans were on the platform, while Twitter says it estimates that fewer than 5% of its daily active users are bot accounts.

Musk has said the social media company is heavily undercounting the number of spam and bot accounts on its platform as a primary reason he’s backing out. 

According to Zatko, Twitter's management have little incentive to accurately identify or report total spam bots on the platform. In a redacted copy of the SEC filing seen by CBS news, Zatko criticises Twitter's methodology for calculating the number of spam-bots. He claims he was unable to obtain from Twitter an "upper bound" for the number of bots, accusing senior management of having "no appetite to properly measure the prevalence of bots".

  • According to the Washington Post, the complaint "provides little hard evidence" to back up his assertions about bots and spam, although these allegations may be useful to Musk in his legal argument to withdraw from buying Twitter.
  • According to Mr Zatko's lawyer, he started the whistleblowing process before Musk began his  attempts to buy the platform became public, and has made no contact with Musk.
  • Alex Spiro, an attorney for Musk, told CNN it had issued a subpoena for Mr Zatko to be a potential witness. 

Twitter's server infrastructure is another equally serious vulnerability, the SEC filing claims. About half of the company's 500,000 servers run on outdated software that does not support basic security features such as encryption for stored data or regular security updates by vendors.

Washington Post:   BBC:     CNN:    Oodaloop:     FT:   Independent:   Yahoo:    PressTV

You Might Also Read: 

Twitter, Free Speech & Disinformation:

 

« Detect Spoofing Before Your Organisation Suffers Fraud
Healthcare Ransomware Attacks Have Almost Doubled »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

The Hacker News (THN)

The Hacker News (THN)

THN is a leading source for Information Security, Hacking News, Cyber Security, Network Security with in-depth technical coverage of issues and events

ForeScout Technologies

ForeScout Technologies

ForeScout delivers pervasive network security by allowing organisations to continuously monitor & mitigate security exposures & cyberattacks.

Cross Identity

Cross Identity

Cross Identity (formerly Ilantus Technologies) is a complete IAM solution that is deep, comprehensive, and can be implemented even by non-IT persons.

National Authority Against Electronic Attacks (NAAEA) - Greece

National Authority Against Electronic Attacks (NAAEA) - Greece

The National Authority Against Electronic Attacks (NAAEA) is the national computer emergency response team of Greece.

Protocol Policy Systems

Protocol Policy Systems

Protocol Policy Systems specialise in IT policy deployment and management systems that deliver compliance and secure computing environments.

Delta Risk

Delta Risk

Delta Risk is a global provider of managed security services and cyber security risk management solutions to government and private sector clients.

Cyber Risk Opportunities

Cyber Risk Opportunities

Cyber Risk Opportunities was formed to enable middle-market executives to become more proficient cyber risk managers so their organizations can thrive.

Cybersprint

Cybersprint

Cybersprint's Digital Risk Protection platform continuously monitors your digital footprint so you can make informed decisions on exposure to online threats, identify vulnerabilities and take action.

iQuila

iQuila

iQuila is a virtual overlay network which runs on top of an existing network. It creates a secure software enabled layer 2 connection across the internet or any public or private cloud.

eLearnSecurity

eLearnSecurity

eLearnSecurity is an innovator in the IT Security training market providing quality online courses paired with highly practical virtual labs.

Siemens

Siemens

Siemens Industrial Security Services provide solutions for cybersecurity in automation environments based on the recommendations of the international standard IEC 62443.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

Glocomms

Glocomms

Glocomms is a leading specialist recruitment agency for the tech sector, providing permanent, contract, and multi-hire recruitment from our global hubs in San Francisco, New York, London and Berlin.

Primus Institute of Technology

Primus Institute of Technology

At Primus Institute of Technology our mission is to inspire, support, and empower current and aspiring IT professionals through training and career development workshops.

Prophaze Technologies

Prophaze Technologies

Prophaze enable organizations and SaaS providers to improve their web application cybersecurity and reduce costs through AI automation.

RunReveal

RunReveal

RunReveal's mission is to make sure no breach goes undetected. That means having a product that is accessible and effective for companies of all sizes.