The Washington PostDemocracy Dies in Darkness

Ex-Twitter engineer tells FTC security violations persist after Musk

Too many people can still access a program that lets them tweet under any account, he says in a complaint

(Dado Ruvic/Reuters)

A new Twitter whistleblower has emerged, supporting last year’s surprising testimony about the dismal state of the company’s privacy protections and saying the company continues to violate its legal obligations under new owner Elon Musk.

The former employee has told members of Congress and staff at the Federal Trade Commission that any Twitter engineer can activate an internal program until recently called “GodMode” and tweet from any account today, three months after Musk’s takeover.

The allegation was also made in a complaint filed in October by the nonprofit law firm Whistleblower Aid with the FTC, which is continuing to interview former employees. A congressional staffer shared the complaint with The Washington Post.

The company’s current head of trust and safety, Ella Irwin, did not respond to an email seeking comment on the new claims. Parag Agrawal, the chief executive for a year before Musk fired him in October, did not respond to a Twitter message seeking comment.

Concerns about Twitter’s security soared after an incident in 2020 when teenagers breached Twitter’s internal systems and tweeted as Musk, Barack Obama and others. Twitter executives in 2020 said they had repaired the glitches, but the whistleblower disputes that.

“After the 2020 hack in which teenagers were able to tweet as any account, Twitter publicly stated that the problems were fixed,” the complaint says. “However, the existence of GodMode is one more example that Twitter’s public statements to users and investors were false and/or misleading.”

“Our client has a reasonable belief that the evidence in this disclosure demonstrates legal violations by Twitter,” the new complaint says.

The whistleblower spoke Friday with staff of the Senate Judiciary Committee, after meeting previously with the House Energy and Commerce Committee and the FTC. The whistleblower spoke with The Post on the condition of anonymity because other former employees have been threatened and harassed.

In that interview, the new whistleblower said that following internal objections about the program, engineers changed its name to “privileged mode.” The whistleblower said the purpose of the program was to allow Twitter staff to tweet on behalf of advertisers unable to do it themselves.

The whistleblower said he was motivated to come forward by the testimony last year of Peiter Zatko, the former Twitter security head whose sweeping claims The Post made public in August. Zatko also was represented by Whistleblower Aid.

Zatko, who was hired after the 2020 debacle by Twitter co-founder and then-CEO Jack Dorsey and fired by Agrawal, Dorsey’s successor as CEO, said poor access controls were one of several ways that Twitter was in violation of its 2011 FTC consent decree, which followed severe breaches.

An FTC complaint at the time said far too many Twitter employees could access internal systems and user data, and the company agreed to set up a “comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information.”

When Zatko testified in Congress that no such plan was in place, a third engineer still at the company told Twitter security executives that a program for tweeting as others was still widely available, and that he had tried to get it shut down or restricted years earlier. That issue was reopened, the complaint says, leading to the discovery of even deeper access that also would allow deletion of tweets or the restoration of tweets that had been deleted — something regular users can’t do on their own accounts.

Though Twitter’s then-leaders had said the number of people who had access to such powerful tools had been cut in 2020, the new whistleblower complaint says the GodMode code remains on the laptop of any engineer who wants it. All they would have to do is change a line of the code from FALSE to TRUE and run it from a production machine that they could reach through an easily accessible communications protocol known as SSH.

“Twitter does not have the capability to log which, if any, engineers use or abuse GodMode,” the complaint says.

The complaint includes screenshots of the code in question. The program line that allows a GodMode user to delete tweets contains the capitalized comment: “THINK BEFORE YOU DO THIS.”

The document also includes photographs of electronic conversations between the whistleblower and his then-colleagues. In one discussion, he suggested a technique an engineer could use to deploy the tinkered code, and a co-worker replied that there was an easier way.

“It’s one of those scenarios where no one has tried to break into the car through the sunroof because the window is cracked and the keys are in the visor lol,” he told the whistleblower.

The congressional staffer who provided the complaint said it backed that of Zatko, who had objected to executives’ public claims that powerful tools had been restricted. “It is not true that: a. ‘access to these tools is strictly limited’ b. '[w]e have zero tolerance for misuse of credentials or tools,’” Zatko’s complaint said.

Before Musk’s takeover, Twitter said that it had improved security after Zatko left. But several recently departed security staffers said in interviews with The Post that the situation has gotten much worse under Musk.

The whistleblower said in the interview that the same power to tweet as anyone would be available to someone who gained illicit access to an engineer’s computer, and that engineers have been hacked in the past. In addition, Zatko’s complaint said that Twitter directly employed multiple agents of other governments.

“They put in writing to the public and regulators that they had closed all the loopholes,” the new whistleblower said. “That’s a lie.”

“They removed this from one interface, but it still existed in other ways. They just changed the lock on one of the many front doors.”

Another former security engineer told The Post that they were aware of the problem and that improvements were somewhere in process when they left the company late last year.

Zatko’s complaint set off a major investigation by the FTC, which has continued after Musk’s acquisition. The commission has said it was concerned by the subsequent departures of the top security and privacy executives who served after Zatko left, including some who were responsible for maintaining FTC compliance.

The new whistleblower and another former employee spoke to several FTC staffers this month. The former employee told The Post that the officials seemed most interested in privacy and security controls and the process by which executives put changes in place. That former employee also spoke on the condition of anonymity because of the acrimony around Musk’s stewardship, which has reduced the company’s staff from 7,500 to fewer than 2000 people.

Some people who have been in regular contact with the FTC say they think it is possible the agency may fine the company $1 billion or more if it concludes that the company has continuously violated the FTC decree.

Cat Zakrzewski contributed reporting to this article.

Loading...