A source code leak that Twitter apparently would have preferred to keep quiet has made it to the public via the Digital Millennium Copyright Act (DMCA) filing the company used to knock it offline.
GitHub has shared a DMCA filing from Twitter that indicates part of the platform’s source code was posted on the site, apparently shortly after Elon Musk’s introductory round of layoffs began. GitHub says that it publicly shares all DMCA requests in the interest of transparency.
Twitter source code leak may have been work of “exited” employee seeking revenge
All that is known about the GitHub repository that hosted the source code leak is that it was created by a user called “FreeSpeechEnthusiast” near the start of 2023. The leak appears to have flown below the radar for such a long time due to lack of promotion by this user, even any sort of public commentary. Aside from dumping the Twitter source code on January 4, the user has no other activity, no comments and no explanation of their actions in their profile. Prior to the news coming out the user also had only a relative handful of followers.
Some of the DMCA filing is redacted for privacy, but the source at Twitter requested that FreeSpeechEnthusiast’s contact information, session information, access history and logs be preserved prior to the source code leak being removed. Twitter is clearly on the hunt for the perpetrator, and will likely start with a list of over 10,000 employees and contractors that were exited from the company after Musk took over, sometimes with a great deal of public acrimony vented as they were leaving. That list can likely be pared down to a much smaller number that actually had access to Twitter source code, however.
An email exchange between Twitter and GitHub has also come to public light as Twitter has formally subpoenaed the company for more information about the source code leak. This contains the unredacted version of the DMCA takedown request, though this seems to shed little more light on the issue other than revealing that Twitter Director and Associate General Counsel Julian Moore handled the communications with GitHub.
Details about exactly what was in the source code leak remain thin. GitHub would only say that the repository contained “proprietary source code” for the platform and its tools, but with no indication of the scope of the collection. It is unknown how many people, if any, accessed the repository before it was taken down.
The New York Times is citing two anonymous inside sources in claiming that Twitter executives were only just recently briefed on the source code leak, and that there is an internal belief that the leaker was laid off sometime in late 2022.
David Lindner, CISO at Contrast Security, notes that while the assumption of sour grapes on the part of a fired employee is natural, there is a possibility that the leaker could still be dwelling in Twitter’s systems: “Leaked source code from Twitter could be the result of former upset employees, people who don’t really like Elon Musk, or even nation states wanting to find holes and a way in to utilize the platform for their benefit. It’s interesting that Twitter’s first thoughts were to issue the copyright infringement notice to GitHub. While it is an important step (but really not that meaningful as the code is already out there), I would have immediately hired an outside forensics firm to make sure the malicious actor was not still in Twitter’s environments. In fact, in a lot of these cases nefarious actors use “leaks” like this as a diversion for a more damaging attack. It will be interesting to see how Twitter handles the transparency of their findings.”
Risks of source code leak remain unclear
Elon Musk’s ownership of Twitter has turned into another partisan political issue, and interpretations of the potential damage of the source code leak are thus likely to turn into wishcasting depending on the views of the source. It is possible that the source code will reveal security vulnerabilities, but the likelihood of it creating some sort of competitive disadvantage for the service is low. More information about what was actually lost is needed to make an informed assessment.
Dr. Ilia Kolochenko, Founder of ImmuniWeb, provides a neutral analysis of what Twitter users should expect from this incident: “The alleged security incident will unlikely have any major impact on Twitter and its users, unless some critical parts of the code were actually exposed and misappropriated by cyber threat actors. For instance, source code of business-critical APIs, which allow vetted third parties to remotely access sensitive data of Twitter users, can possibly expose critical security vulnerabilities that are undetectable from the outside.”
Though the damage remains unknown, the source code leak certainly will not help Twitter’s troubled revenue situation. Recent reporting on an internal memo circulated by Musk indicates that the company’s current valuation is about $20 billion, or under half what Musk paid for it in 2022. In addition to aggressive cuts, mostly to employees, plans for recouping that loss appear to be centered on aggressively pushing the Twitter Blue premium subscription. Musk took to the platform to announce on Monday that the main “For You” feed, the default view by which users receive tweets, will no longer contain any posts by unverified users.
The source code leak also comes ahead of promises from Musk that the platform algorithm for recommendations would be made transparent sometime soon. And it comes amidst ongoing regulatory scrutiny of the company, much of which stems from testimony given to Congress by former head of cybersecurity Peiter “Mudge” Zatko. These allegations date back to the time prior to Musk’s ownership, claiming that former executives misrepresented the security of user data and the amount of bot accounts to both government regulators and to investors. Zatko also alleges that spies for foreign countries had access to the internal workings of the platforms, including at least one employee on the payroll thought to be connected to Saudi Arabian intelligence services.
Ronen Slavin, co-founder and CTO at Cycode, notes that the incident contains a number of lessons for organizations about securing sensitive internal information: “In the wake of Twitter’s source code leak, it’s vital to emphasize the significance of a defense-in-depth approach and layered security to protect your organization’s intellectual property. By combining powerful strategies, we can create a resilient defense against potential threats.”
“First, let’s talk about strong access controls and the principle of least privilege access. By granting users the minimum level of access necessary to perform their tasks, we minimize the risk of unauthorized access to sensitive data, ultimately reducing the potential attack surface. Next, we delve into the world of repository anomaly detection. By leveraging advanced technologies and sophisticated algorithms, organizations can spot unauthorized copies or suspicious activities within their repositories in real-time. This proactive approach ensures that potential threats are addressed before they become significant problems. Moreover, having these audit capabilities would allow for self-sufficient investigations, eliminating the need for external help, as was the case with Twitter relying on GitHub. Finally, we turn our attention to secret detection. Code leaks become exponentially more dangerous when they contain exposed secrets, as this can lead to unauthorized access or compromise of sensitive systems. With sensitive data scattered across code repositories, it’s crucial to implement automated tools that identify and remediate exposed secrets. By doing so, we bolster our security posture and prevent attackers from exploiting leaked credentials or sensitive information. Together, these strategies form a comprehensive and formidable shield to protect your organization’s most valuable assets,” recommended Slavin.

