Skip to main content

The security flaws that make Twitter’s insider threat so scary

The security flaws that make Twitter’s insider threat so scary


Disclosure claims lax access controls increased impact of Indian government plant

Share this story

Illustration by Alex Castro / The Verge

Peiter “Mudge” Zatko’s whistleblower disclosure contained a lot of alarming claims about Twitter — from confusing bot measurements to executive misconduct — but one of the most alarming claims was that the company was actively infiltrated by agents of the Indian government. For a platform that has always presented itself as a haven for journalists and activists, it’s a troubling claim and one that the company has not directly confronted in responses given to US media.

But the allegations are less outlandish than it seems — and part of a much larger issue for international tech platforms.

Zatko’s SEC filing claims that, in the course of his time as Twitter’s head of security, he was informed that the Indian government forced Twitter to employ one of its agents.

In a section of the report titled “penetration by foreign intelligence and threats to democracy,” the filing notes:

The Indian government forced Twitter to hire specific individual(s) who were government agents, who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data.

The relationship between Twitter and the Indian government has been particularly fraught, coming to a head in a 2021 raid of the company’s office in Delhi in response to a perceived misuse of the platform’s “manipulated media” tag. Twitter’s moderation in the country is a thorny issue, as false rumors have often been used to spark mob violence against the Muslim minority population. For most speech advocates, those decisions are too sensitive to include an employee of the current right-wing government, which some see as implicitly endorsing the violence.

As Zatko told it, the operational failure that led to a government agent being employed was compounded by a basic security failure. In the SEC filing, he alleged that “half of Twitter’s 10,000 employees and growing” had access to live production systems and sensitive user data. It’s unclear whether that list included the alleged foreign agent, but such a sprawling access problem makes any mitigation efforts far harder.

As yet, details are also fuzzy on the extent to which Twitter willingly made this concession. The platform has had a troubled run in India and is currently bringing a legal challenge against the Indian government over orders to block certain content that was critical of the Modi administration. Competitor Facebook has also run into problems but of a different kind: in 2020, its India policy chief resigned after being strongly criticized for failing to tackle anti-Muslim hate speech on the platform.

The Indian press — well aware that surveillance and intimidation of journalists have steadily been increasing in the country — has treated the allegations seriously, though reporters in the country seem to have had trouble obtaining any additional information from the platform.

“At the very least, it requires an official response from the Government as also from Twitter”

“A whistle-blower’s disclosure that the Indian Government forced Twitter to hire its agent, who then got access to the platform’s user data, should alarm anyone even remotely interested in the health of democracy in the country,” read an op-ed in The Hindu, one of the nation’s largest English-language newspapers. “At the very least, it requires an official response from the Government as also from Twitter.”

Approached for comment by The Verge, a Twitter spokesperson sent a statement issued by the CEO and previously provided to press, disputing Zatko’s claims as a “false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.”

The stakes of the issue are high because of Twitter’s near-global reach and the wealth of sensitive data it protects. Though the content of tweets is public by default, direct messages function as a private backchannel between users — but one that many employees are able to intercept. In the wake of a 2020 hack in which a number of widely followed celebrity accounts were compromised, it came to light that contractors with access to Twitter’s internal tools had used them to snoop on celebrities for years, peering into DMs to read private conversations and using IP logging to track their approximate locations. Needless to say, it’s a capability that lots of repressive governments would be glad to have.

It’s not just foreign governments that might try to break Twitter’s security from the inside. Another section of Zatko’s disclosure details his attempt to lock down Twitter’s systems to defend against possible internal threats after the January 6th insurrection — and subsequent discovery that there was no way to make this happen.

In fact, Twitter has been compromised in a very similar way before. In 2019, two former Twitter employees in the US were found to be accessing the platform’s information on critics of Saudi Arabia under the direction of the Saudi government. Following their exposure, the Justice Department charged them with acting as unregistered foreign agents.

A persistent problem

National security groups have been particularly focused on this kind of insider attack in recent years. In a 2021 briefing sent to US businesses, the National Counterintelligence and Security Center warns that a growing number of state and non-state actors are targeting the United States, trying to obtain intelligence by “employing a range of illegal techniques, including insider threats, cyber penetrations, supply chain attacks, and blended operations that combine some or all these methods.”

So, for any company the size of Twitter, the question is not if they will deal with an insider threat but when. David Thiel, chief technology officer at the Stanford Internet Observatory and a former security engineer at Facebook, told The Verge that the best practice for tech companies is to assume insider threats will happen and preemptively limit their impact. Vetting personnel is an important step, Thiel said, but since it won’t catch every possible bad actor, strict access controls and sophisticated monitoring systems are crucial.

“It’s a sensitive area because you do not want to get in the situation where you’re considering everybody that works for you in a particular country to be a potential spy,” Thiel said. “So this is something that has to be done with technical controls that are applied evenly and equitably across the world.”

It’s also possible that Twitter execs felt they had no choice but to comply. Rose Jackson, director of the Democracy & Tech Initiative at the Atlantic Council’s Digital Forensic Research Lab, says that the US government has taken “a completely hands-off approach” to governance for global tech companies that are headquartered in the United States, leaving them to fend for themselves when navigating sensitive geopolitical issues.

But the result is still a chilling precedent for platforms and their users. Jackson says a hypothetical situation where the US forced companies to employ intelligence agents would still be “beyond the pale.”

“If the United States told Twitter that if it wanted to continue to operate in the United States, that a US intelligence official needed to be placed on its staff, and Twitter said ‘okay,’ then that would be a major scandal worthy of serious investigation,” Jackson told The Verge. “The national security implications, the cybersecurity implications of this — it’s an outlandish idea that that would be acceptable behavior.”

Today’s Storystream

Feed refreshed 41 minutes ago Not just you

Thomas Ricker41 minutes ago
The Simpsons pays tribute to Chrome’s dino game.

Season 34 of The Simpsons kicked off on Sunday night with an opening credits “couch gag” based on the offline dino game from Google’s Chrome browser. Cactus, cactus, couch, d’oh! Perfect.

Thomas Ricker7:29 AM UTC
Table breaks before Apple Watch Ultra’s sapphire glass.

”It’s the most rugged and capable Apple Watch yet,” said Apple at the launch of the Apple Watch Ultra (read The Verge review here). YouTuber TechRax put that claim to the test with a series of drop, scratch, and hammer tests. Takeaways: the titanium case will scratch with enough abuse, and that flat sapphire front crystal is tough — tougher than the table which cracks before the Ultra fails — but not indestructible.

Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.

Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.

Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.

External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.

The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.