Twitter Fixed a Bug That Exposed Advertisers' Sensitive Credit Details Internally

A bug in Twitter’s system, which was rectified on Saturday, exposed sensitive information to the company's advertising team. Names, addresses and credit card information of several advertisers were left exposed, Adweek has learned. The bug was identified on Thursday by privacy researcher Zach Edwards. He found that the company ingested sensitive credit card information without any encryption. The error occurred in the midst of swift changes to the platform and across-the-board staff cuts in the wake of Elon Musk's takeover three weeks ago. As more execs leave or are let go, engineers at Twitter are required to "self-certify compliance with FTC requirements and other laws," per an internal slack message. “These are ad tech corporate credit cards with wild limits,” said Edwards, who captured the bug on his browser while testing what happens when people add their credit card information to their Twitter ads account. Twitter employees could potentially screenshot and download credit card information. Elon Musk Believes Twitter Paywall Will Solve Advertisers' Brand Safety Concerns Engineers at Twitter learned about the system bug through Edwards’ tweet and fixed it internally over the weekend, according to a screenshot viewed by Adweek. Adweek contacted Twitter but has received no response, at least one of the emails bounced back. Recently, Twitter whistleblower Peiter Zatko pointed to security holes on the platform. Testifying before Congress in September, he claimed that employees had too much access to data. Twitter did not have the capacity to respond to national security risks, including access gained by potential foreign agents on its payroll, he claimed. After the mass executive exodus of the last two weeks, those still with Twitter are trying to push back on Twitter Blue, the company’s paid service. However, Edwards did not encounter the same potential security breach issue with Twitter Blue, which uses the payment processor Stripe to process monthly transactions. “They fixed it because they got outed,” said Ari Lightman, a professor of digital media, marketing and cybersecurity at Carnegie Mellon University’s Heinz College. Still, this fix doesn’t solve the looming data security risks within Twitter. A data security problem Edwards, who previously tested for bugs in Twitter ads, was mainly concerned that corporate credit card details, along with names and addresses, were stored without encryption. This way of storing information in a transparent manner did not exist prior to the acquisition, according to Edwards. “If somebody internally at Twitter is seeing credit card information, that's a data security problem,” said Vuk Janosevic, CEO and co-founder of data privacy firm Blindnet. “By the time somebody figures out any fraudulent purchases, it could easily take 90 days. There is a clear risk for fraud here.” The Payment Card Industry Data Security Standard (PCI DSS) states that the Primary Account Number (PAN) must be made unreadable and strongly encrypted wherever it is stored. Two sources indicated that Twitter was in violation of the PCI requirement. Compliance and enforcement of PCI Standards is the role of the payment brands and acquiring banks, a PCI spokesperson told Adweek. "The minuscule security parameters that exist within Twitter pose a huge security risk,” said Lightman, who added that the platform warrants urgent stabilization. And that is not a simple or quick process. It involves security department audits, penetration testing, user adoption and security training for employees and contractors. "A full enterprise-wide risk assessment could help prioritize and redeploy resources where it matters most," said Jerome Dangu, CTO and co-founder at cybersecurity ad tech and malware prevention company Confiant. "It will take years to rebuild." Elon Musk Fails to Answer Brands' Questions in Private Meetings Meanwhile, Musk has reportedly told staff that bankruptcy is not out of the question if advertising, subscription or other revenue can't be maintained. And the list of advertisers leaving the platform continues to grow. “To save itself, Twitter needs to win back advertisers," said Lightman. "That’s the main source of revenue."

Data Security

Twitter Fixed a Bug That Exposed Advertisers' Sensitive Credit Details Internally

Data security experts find "a clear risk for fraud"

Trishla Ostwal

About

Subscriptions

Events

Publications

WORK SMARTER - LEARN, GROW AND BE INSPIRED.

Subscribe today!

Trishla Ostwal