Twitter's source code leak.
the cyberwire logoMar 28, 2023

Twitter source code appears to have been posted to GitHub months ago.

Twitter's source code leak.

Internal Twitter source code was leaked on GitHub by an unknown actor months ago, according to the New York Times. 

Twitter issues subpoena for leaker’s information.

GitHub took down the repository on Friday following a DMCA infringement notice from Twitter. Twitter has also issued a subpoena requesting information on the user who posted the data, as well as any information on users who have downloaded or shared the source code.

The company is asking GitHub for “All identifying information, including the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the user(s) associated with the following GitHub username: FreeSpeechEnthusiast. Please include all identifying information provided when this account was established, as well as all identifying information provided subsequently for billing or administrative purposes.”

BleepingComputer notes that the alleged leaker’s GitHub handle, “FreeSpeechEnthusiast,” appears to be a reference to Elon Musk and suggests the individual is or was a disgruntled Twitter employee.

Industry comments.

Yakir Kadkoda, Lead Security Researcher at Aqua Security’s research team Nautilus, commented:

“Most of the damage is caused by the code leakage. That means vulnerabilities, secrets, and internal processes in this code are now visible to everyone. While this may be almost a given with an open source project, it’s quite different when it is corporate code. Inside corporate code is a wild west in terms of standards, and leaks of this kind can lead to attacks and exploitation of vulnerabilities for many, many years to come.

“It highlights the need for secure development processes, SAST and DAST scans, and secret scans, etc. It is also a good reminder that organizations should treat their code as if it were open source, and if their code is exposed, then minimal damage will occur. Furthermore, the permissions mechanism would not usually have been able to stop this type of leak, since anyone who has access to the repository can copy the code from it (although they cannot usually change it).

“This is another point that organizations should consider protecting their assets from 'internal threats' and better compartmentalize code.”

David Lindner, CISO at Contrast Security, stated:

 “Leaked source code from Twitter could be the result of former upset employees, people who don’t really like Elon Musk, or even nation states wanting to find holes and a way in to utilize the platform for their benefit. It’s interesting that Twitter’s first thoughts were to issue the copyright infringement notice to GitHub. While it is an important step (but really not that meaningful as the code is already out there), I would have immediately hired an outside forensics firm to make sure the malicious actor was not still in Twitter’s environments. In fact, in a lot of these cases nefarious actors use “leaks” like this as a diversion for a more damaging attack. It will be interesting to see how Twitter handles the transparency of their findings.”

Ronen Slavin, co-founder and CTO at Cycode, offered the following observations:

“In the wake of Twitter's source code leak, it's vital to emphasize the significance of a defense-in-depth approach and layered security to protect your organization's intellectual property. By combining powerful strategies, we can create a resilient defense against potential threats.

"First, let's talk about strong access controls and the principle of least privilege access. By granting users the minimum level of access necessary to perform their tasks, we minimize the risk of unauthorized access to sensitive data, ultimately reducing the potential attack surface.

"Next, we delve into the world of repository anomaly detection. By leveraging advanced technologies and sophisticated algorithms, organizations can spot unauthorized copies or suspicious activities within their repositories in real-time. This proactive approach ensures that potential threats are addressed before they become significant problems. Moreover, having these audit capabilities would allow for self-sufficient investigations, eliminating the need for external help, as was the case with Twitter relying on GitHub.

 "Finally, we turn our attention to secret detection. Code leaks become exponentially more dangerous when they contain exposed secrets, as this can lead to unauthorized access or compromise of sensitive systems. With sensitive data scattered across code repositories, it's crucial to implement automated tools that identify and remediate exposed secrets. By doing so, we bolster our security posture and prevent attackers from exploiting leaked credentials or sensitive information.

"Together, these strategies form a comprehensive and formidable shield to protect your organization's most valuable assets."

Tim Mackey, Principal Security Strategist for Synopsys Cybersecurity Research Center (CyRC), noted:

“The ability to publish source code to a company owned GitHub repository should be subject to multiple governance controls and reviews. Occurrences such as what Twitter has experienced should be managed by the same processes that any organization would use to determine if and when they might want to “open source” a project. While such controls would help to protect the source code repository for an organization, it’s worth noting that when a developer works on their branch of source code, they will be using a personal account. Ideally for corporate users, that “personal account” is part of an enterprise managed repository with appropriate access controls that restrict access to only approved users.

"Of course, the publication of source code and its subsequent removal doesn’t mean that someone didn’t copy that source code while it was public. Anyone having done so would have the ability to analyze the source code and identify if there are any exploitable weaknesses. This is precisely the type of scenario that source code governance controls are designed to protect against.”