Though few people seemed to realize it, proprietary Twitter code was sitting in a GitHub repository from early January to sometime in March, free to anyone to access. The public is only becoming aware of the source code leak via a Digital Millennium Copyright Act (DMCA) filing by Twitter, ordering GitHub to ensure it stays offline and turn over information about whoever uploaded it.
Extent of source code leak still unknown as Twitter voluntarily begins sharing algorithm information
As with any source code leak, the primary concern is that it will provide a roadmap to exploitable vulnerabilities for attackers. However, it is still not clear exactly what was leaked, let alone how many people got hold of it before it was taken down.
Without more information, it is also unclear what impact this will have on Twitter’s revenue situation. The company is reportedly now worth less than half what Elon Musk paid for it in 2022, and Musk appears to be pinning hopes for recovery on forcing users to pay for the premium Twitter Blue subscription to access the platform’s full range of features and opportunities.
Musk recently shared the source code for the recommendations algorithm, though it has been left up to programming experts to actually examine it and determine how the platform populates user feeds. Twitter is also reportedly in the midst of an overhaul of this system that may ultimately make this older code irrelevant.
Twitter thinks source code leak came from employee laid off in 2022
The first of Twitter’s bold moves to address the balance sheets was the layoff of over 10,000 employees and contractors, something that immediately mobilized ill will against Musk and helped to politicize the situation. According to the New York Times, anonymous inside Twitter sources seems to think that “FreeSpeechEnthusiast,” the mysterious user that uploaded the code to GitHub with almost nothing in the way of commentary, is among those former employees and that the source code leak was aimed at harming the company.
It’s certainly a reasonable theory, but there is no explanation as of yet for why the source code leak was seemingly not publicized at all. Uploaded on January 4, the code seemed to go unnoticed until Twitter asked GitHub to remove it under a copyright claim in mid-March.
Twitter has said that it is actively seeking the leaker, and that large pool of employees is likely to be narrowed down to a relative few that had access to this sort of sensitive code. GitHub has also been served with a subpoena for any useful information it can provide on the leaker’s identity and activities.
While it is natural to jump to the conclusion that the source code leak is the work of a disgruntled employee (and certainly the one that Twitter has seemed to reach), the odd circumstances of the leak should prompt at least some consideration that a more complex attack is unfolding and that an unauthorized party may be dwelling in Twitter’s systems.