Twitter Presses GitHub to Turn Over User Who Leaked Source Code
When Twitter joined the ranks of tech companies whose source code leaked online, it was met with little surprise and a whole lot of unease over what the leak might mean for the platform’s security.
“Unlike other recent source code leaks, it is concerning that Twitter has not released a statement to reiterate that it doesn’t rely on the confidentiality of its code for the security of its services,” said Claude Mandy, chief evangelist, data security, at Symmetry Systems.
Now that the company is in hot pursuit of the leaker, a federal district court subpeonaed GitHub to reveal the identity of “FreeSpeech Enthusiast,” the user that posted the Twitter source code on GitHub and who is suspected of being a former employee displeased by the company’s recent layoffs.
“As we wait for Twitter to hopefully release details of their investigation, current speculation is that the leak was most likely a former employee with significant access—the proverbial insider threat,” said Mandy.
Such leaks are becoming far too common and often expose secrets. In 2022, GitGuardian found more than 10 million secrets just in public GitHub repos.
“In the short term, the concern for Twitter will be in determining whether there was anything potentially harmful in the code itself in addition to the loss of intellectual property,” said Mandy. “This could include secrets and other authentication information, sensitive information and even embarrassing code comments like we’ve seen in other source code leaks.”
What’s more, “access to source code can allow attackers to comb through the code and identify potential vulnerabilities and insecure configurations more easily,” he said.
Those leaks perpetrated by insiders are particularly gnarly. “Insider threats are hard to prevent—they have authorized and legitimate requirements to do exactly what was done in this instance—i.e., upload code to GitHub,” said Mandy.
“This renders traditional preventive data security tools almost ineffective in preventing the purposeful leak of sensitive information by an insider,” he said. ”Even worse, these tools are completely blind when the organization doesn’t know where the information is stored or where it is stored in a third party, given that most security tools focus on securing the networks and systems that information is stored on.”
For the CISO, this means relying “more on data security tools that can not only identify where data is but monitor data flows and activity by users on the data for anomalous activity,” Mandy explained.
The Twitter leak highlights the need for better oversight and management. “The ability to publish source code to a company-owned GitHub repository should be subject to multiple governance controls and reviews,” said Tim Mackey, principal security strategist, Synopsys Cybersecurity Research Center (CyRC).
“Occurrences such as what Twitter has experienced should be managed by the same processes that any organization would use to determine if and when they might want to ‘open source’ a project,” said Mackey. “While such controls would help to protect the source code repository for an organization, it’s worth noting that when a developer works on their branch of source code, they will be using a personal account.”
Ideally, for corporate users, Mackey said, “that ‘personal account’ is part of an enterprise-managed repository with appropriate access controls that restrict access to only approved users.”
Publishing “source code and its subsequent removal doesn’t mean that someone didn’t copy that source code while it was public,” said Mackey. “Anyone having done so would have the ability to analyze the source code and identify if there are any exploitable weaknesses. This is precisely the type of scenario that source code governance controls are designed to protect against.”
