After it was announced that portions of Twitter’s source code were leaked online, security researchers have suggested it should serve as a warning that better measures need to be taken to protect corporate networks. That should include those on the inside as well as from any potential external threat.
In this case, the base programming for Twitter was posted briefly on the GitHub collaborative programming network. It was removed the same day, but the code that was posted for even a short time could have been copied and easily redistributed. Twitter has asked a U.S. District Court for the Northern District of California to order Github to reveal the identity of the user who initially posted the code, as well as those who may have accessed and downloaded it.
It has been reported that Twitter executives suspect the code was stolen by a disgruntled employee who left the company around the time that billionaire tech entrepreneur Elon Musk acquired the platform for $44 billion – and then preceded to lay off a significant portion of the staff.
“Leaked source code from Twitter could be the result of former upset employees, people who don’t really like Elon Musk or even nation states wanting to find holes and a way in to utilize the platform for their benefit,” said David Lindner, CISO at Contrast Security, via an email.
Linder also questioned Twitter’s response to the code leak. Security concerns almost seemed to be an afterthought.
“It’s interesting that Twitter’s first thoughts were to issue the copyright infringement notice to GitHub,” he explained. “While it is an important step – but really not that meaningful as the code is already out there – I would have immediately hired an outside forensics firm to make sure the malicious actor was not still in Twitter’s environments.”
The focus was instead on intellectual property (IP) rather than the risks such a leak could pose to Twitter’s users.
“In a lot of these cases nefarious actors use ‘leaks’ like this as a diversion for a more damaging attack,” added Linder. “It will be interesting to see how Twitter handles the transparency of their findings.”
Inside Job – More Than Likely
It also isn’t just Twitter’s current executives that now believe that a disgruntled employee was behind the breach. In fact, it might be surprising if it wasn’t someone on the inside who had a beef with the direction the company was taking.
Finding out how the code leak occurred should also be a top priority said Tim Mackey, principal security strategist for Synopsys Cybersecurity Research Center (CyRC).
“The ability to publish source code to a company-owned GitHub repository should be subject to multiple governance controls and reviews. Occurrences such as what Twitter has experienced should be managed by the same processes that any organization would use to determine if and when they might want to ‘open source’ a project,” Mackey said via an email.
Though such controls would help to protect the source code repository for an organization, it is further worth noting that when a developer works on their branch of source code, they’d likely be using a personal account.
“Ideally for corporate users, that ‘personal account’ is part of an enterprise-managed repository with appropriate access controls that restrict access to only approved users,” explained Mackey.
The Genie Is Out Of the Bottle
As noted, Twitter is now seeking to find out not only who posted the leaked code, but also who downloaded it. Tracking every copy could be a Sisyphean task to say the least!
“Of course, the publication of source code and its subsequent removal doesn’t mean that someone didn’t copy it while it was public,” warned Mackey. “Anyone having done so would have the ability to analyze the source code and identify if there are any exploitable weaknesses. This is precisely the type of scenario that source code governance controls are designed to protect against.”