Twitter engineers can use “GodMode” to tweet from any account — Whistleblower

A second former Twitter employee has come forward and raised concerns about security policies at the social media platform, The Washington Post reports.

The whistleblower, a former Twitter engineer, has reportedly spoken with the US Congress and Federal Trade Commission (FTC) about a dodgy internal program called “privileged mode”.

Previously called “GodMode”, it allegedly allows Twitter’s engineers to post tweets from any user’s account.

The whistleblower claimed it requires access to a production computer and changing one piece of code from “FALSE” to “TRUE”.

A screenshot of the code attached to the complaint that the whistleblower lodged with the FTC in October 2022 shows a capitalised warning that is presented to those who attempt to use it:

“THINK BEFORE YOU DO THIS.”

Another Twitter whistleblower who made headlines in 2022, former head of security Peiter Zatko, said the platform misled regulators about its security systems.

Zatko said that Twitter security had “extreme, egregious deficiencies” in protection against cyberattacks, with half of its servers running out-of-date and exploitable software.

Zatko also said that thousands of Twitter staff had extensive access to core company software, which had resulted in previous breaches.

That supposedly includes teenage cryptocurrency scammers who managed to hack Twitter’s internal systems in 2020 and send fake tweets from several prominent accounts.

Compromised accounts included those owned by US President Joe Biden, Barack Obama, Elon Musk, Bill Gates, Jeff Bezos, and Warren Buffet, among others.

At the time, Twitter’s executives said the vulnerability had been fixed and that the company had launched a “comprehensive information security program” to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information.

But Zatko disputed that these measures were sufficient.

The new whistleblower said that the 2020 hacking incident led to Twitter relooking security privileges granted to its employees.

It subsequently discovered that Twitter’s engineers could delete and restore any user’s tweets.

The whistleblower also said that Twitter had no way to detect who used or abused any of the privileges.

Now read: Mailchimp hacked for second time in a year