Twitter Asks Court to Subpoena GitHub Over Source Code Leak

Experts opined that the leaker could be a disgruntled former Twitter employee.

March 28, 2023

On Monday, GitHub took down the repository containing parts of the proprietary Twitter source code published illicitly. Published by a user going by the name FreeSpeechEnthusiast, the source code seems to have been online for months.

The leak came to the fore, at least in the mainstream, only after Elon Musk-headed Twitter filed a notice with the District Court of Northern California against GitHub under the Digital Millennium Copyright Act (DMCA) this week.

While the proprietary source code has been taken down, the microblogging platform also seeks to bring FreeSpeechEnthusiast to justice. As such, the company has asked the Court to issue a subpoena for “all identifying information, including the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the user(s) associated with the following GitHub username: FreeSpeechEnthusiast.”

The company also seeks details on when the account was established and all identifying information provided for billing or administrative purposes. Additionally, Twitter also wants the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es) of the users who posted, uploaded, downloaded or modified the data at the said repositoryOpens a new window .

Going by the username FreeSpeechEnthusiast, the leak could very well be a sneer at billionaire technocrat Elon Musk, a self-proclaimed “free speech absolutist.” Experts opined that the leaker could be a disgruntled former Twitter employee. Twitter laid off more than half its workforce after Musk acquired Twitter.

“Leaked source code from Twitter could be the result of former upset employees, people who don’t really like Elon Musk, or even nation states wanting to find holes and a way in to utilize the platform for their benefit,” David Lindner, CISO at Contrast Security, told Spiceworks.

“It’s interesting that Twitter’s first thoughts were to issue the copyright infringement notice to GitHub. While it is an important step (but really not that meaningful as the code is already out there), I would have immediately hired an outside forensics firm to make sure the malicious actor was not still in Twitter’s environments.”

The development comes just days before Musk is planning to open source Twitter’s tweets recommendation algorithm. 

See More: Can Tech Layoffs Increase Insider Threats?

“In fact, in a lot of these cases, nefarious actors use ‘leaks’ like this as a diversion for a more damaging attack. It will be interesting to see how Twitter handles the transparency of their findings.”

Tim Mackey, head of software supply chain risk at the Synopsys Software Integrity Group, echoed a similar concern. He told Spiceworks, “The publication of source code and its subsequent removal doesn’t mean that someone didn’t copy that source code while it was public. Anyone having done so would have the ability to analyze the source code and identify if there are any exploitable weaknesses.”

“This is precisely the type of scenario that source code governance controls are designed to protect against.”

It is unclear how many people downloaded the leaked code. Passed in 1998, DMCA incorporates and implements two 1996 World Intellectual Property Organization (WIPO) treaties, viz., the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. It aims to criminalize infringement, address copyright issues, and prohibit illicit production and distribution of technology-related works, including code.

Mackey added, “The ability to publish source code to a company-owned GitHub repository should be subject to multiple governance controls and reviews. Occurrences such as what Twitter has experienced should be managed by the same processes that any organization would use to determine if and when they might want to ‘open source’ a project.”

“While such controls would help to protect the source code repository for an organization, it’s worth noting that when a developer works on their branch of source code, they will be using a personal account. Ideally, for corporate users, that ‘personal account’ is part of an enterprise-managed repository with appropriate access controls that restrict access to only approved users,” Mackey added.

From what is known, FreeSpeechEnthusiast probably did not use an enterprise-managed account.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON DATA LEAKS

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.