Twitter contractors with high-level administrative access to accounts regularly abused their privileges to spy on celebrities including Beyoncé, including approximating their movements via internet protocol addresses, according to a report by Bloomberg.
Over 1,500 workers and contractors at Twitter who handle internal support requests and manage user accounts have high-level privileges that enable them to override user security settings and reset their accounts via Twitter’s backend, as well as view certain details of accounts like IP addresses, phone numbers, and email addresses.
[…]
Two of the former Twitter employees told Bloomberg that projects such as enhancing security of “the system that houses Twitter’s backup files or enhancing oversight of the system used to monitor contractor activity were, at times, shelved for engineering products designed to enhance revenue.” In the meantime, some of those with access (some of whom were contractors with Cognizant at up to six separate work sites) abused it to view details including IP addresses of users. Executives didn’t prioritize policing the internal support team, two of the former employees told Bloomberg, and at times Twitter security allegedly had trouble tracking misconduct due to sheer volume.
A system was in place to create access logs, but it could be fooled by simply creating bullshit support tickets that made the spying appear legitimate; two of the former employees told Bloomberg that from 2017 to 2018 members of the internal support team “made a kind of game out of” the workaround. The security risks inherent to granting access to so many people were reportedly brought up to the company’s board repeatedly from 2015-2019, but little changed.
This had consequences beyond the most recent hack. Last year, the Department of Justice announced charges against two former employees (a U.S. national and a Saudi citizen) that it accused of espionage on behalf of an individual close to Saudi Crown Prince Mohammed bin Salman. The DOJ alleged that the intent of the operation was to gain access to private information on political dissidents.
Source: Twitter Contractors Abused Access to Beyoncé’s Account: Report
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft