Zakto also alleges that Twitter does not have comprehensive development or testing environments to pilot new features and system updates before rolling them out to live production software. As a result, Zatko describes a situation where engineers would work alongside live systems and “test directly to commercial service, causing regular service outages.” And the documents allege that half of Twitter’s employees had privileged access to live production systems and unchecked user data to detect any rogue actions or track unwanted activity. Zatko’s complaint describes Twitter as having approximately 11,000 employees. Twitter says it currently has about 7,000 employees.
The complaints claim that these poor security practices explain Twitter’s history of security incidents, data breaches and dangerous takeovers of user accounts.
“We are reviewing the redacted claims that have been published,” said Twitter CEO Parag Agrawal he wrote in a message to Twitter staff this morning. “We will pursue all avenues to defend our integrity as a company and set the record straight.”
Twitter says all employee computers are managed centrally, and its IT department can force updates or impose access restrictions if they aren’t installed. The company also said that before a computer can be connected to production systems, it must pass a check to ensure that its software is up-to-date and that only employees with a “business justification” can access the production environment for “specific purposes”.
Al Sutton, co-founder and CTO of Snapp Automotive who was a staff software engineer at Twitter from August 2020 to February 2021, noted in a tweet Tuesday that Twitter never removed him from the employee GitHub group which can send software changes to code the company. manage in the development platform. Sutton had access to the private deposits for 18 months after being let go from the company, and he published evidence that Twitter uses GitHub not only for public open source work, but also for internal projects. In about three hours after posting about access, Sutton reported which had been revoked.
“I think Twitter is being pretty casual about Mudge’s claims, so I thought a verifiable example might be helpful for people,” he told WIRED. When asked if Zatko’s allegations relate to his own experience working at Twitter, Sutton added, “I think the best thing to say here is that I have no reason to doubt his claims.”
Security engineers and researchers point out that while there are different ways to approach security in the production environment, there is a conceptual problem if employees have broad access to user data and deployed code without an extensive record. Some organizations take the approach of drastically limiting access, while others use a combination of broader access and constant monitoring, but either option should be a conscious choice in which a company is heavily invested. After the Chinese government cracked down on Google in 2010, for example, the company opted for the former approach.
“It’s actually not that unusual for companies to have relatively liberal policies about giving engineers access to production systems, but when they do they’re very, very strict about logging everything that’s done,” says Perry Metzger , managing partner of Metzger consultancy. Dowdeswell & Company. “Mudge has an excellent reputation, but let’s just say he was completely incompetent. The easiest thing for them to do would be to provide technical details of the logging systems they use for engineer access to production systems. But what Mudge it’s portraying is a culture where people would rather cover things up than fix them and that’s the disturbing part.”
Zatko and Whistleblower Aid, the nonprofit legal group representing him, say they stand by the documents released Tuesday. “Twitter has an outsized influence on the lives of hundreds of millions around the world and has fundamental obligations to its users and the government to provide a safe platform,” Libby Liu, CEO of Whistleblower Aid, said in a statement.
For now, however, the allegations raise a number of serious concerns that seem unlikely to be quickly explained or comprehensively resolved.