The Washington PostDemocracy Dies in Darkness

Twitter says parts of source code posted online, seeks leaker

The company asked a court to issue a subpoena to help it find the name of a user that posted its code online

Twitter submitted a subpoena Friday asking GitHub, an online platform used by software developers, to identity the user who leaked its source code. (Gregory Bull/AP)
5 min

Some of the computer code that powers Twitter has been leaked online, a legal filing claims, posing the latest challenge for Elon Musk’s social media network.

A user identified in court documents as “FreeSpeechEnthusiast” allegedly shared parts of Twitter’s source code on GitHub, an online platform used by software developers. Twitter, claiming copyright infringement, asked a court on Friday to compel GitHub to identify the poster and anyone who downloaded the code.

A GitHub spokesman confirmed in an emailed statement that the company complied with Twitter’s request to take down the code but declined further comment. Twitter did not respond to a request for comment.

The alleged leak comes as Musk faces numerous problems — from company cash-flow to site outages — in his efforts to change Twitter’s course through an aggressive mix of cost-cutting and policy changes. It also raises questions about the security of the site after Musk initiated large-scale layoffs, reducing the workforce by more than two-thirds. Former staffers had already wondered how the site would fare without so many key employees in their positions.

Twitter has been in a state of turbulence since Musk took over the company and slashed thousands of jobs. The outspoken billionaire behind Tesla bought the social media site for $44 billion last fall, saying he wanted to promote “free speech.” His ownership, as well as rapid changes at the company, has concerned some users who fear the rise of hate speech on the site as safety guardrails are rolled back. But others have praised Musk’s stated commitment to free speech.

Over the weekend, Musk sent an email to staff calling the company an “inverse startup” undergoing “radical changes,” according to the message seen by The Washington Post. In the email, which detailed stock awards being issued to employees, Musk said Twitter was valued at roughly $20 billion, “which is less than half of the acquisition price.” But, he said, he could see Twitter one day being worth more than $250 billion. The email was reported Saturday by news outlet The Information.

The company has wrestled with multiple challenges since Musk took over, including a rocky initial launch — and temporary pause — of a service that allows users to pay $8 a month for a blue check mark, a signal historically used to denote notable accounts that had their identities verified. Twitter has since relaunched the service and said last week that it will start removing the legacy, unpaid check marks on April 1.

Twitter has also endured significant outages when its engineers made minor tweaks to its code, leading Musk to publicly call the company’s code “brittle.”

“Will ultimately need a complete rewrite,” he said.

Twitter had been called out for alleged security deficiencies well before Musk took over — a former company security executive turned whistleblower, Peiter Zatko, alleged the company had deceived regulators about “extreme, egregious deficiencies” in its defenses against hackers.

That disclosure concerned some lawmakers and regulators because the company was already subject to oversight about its security and privacy practices from the Federal Trade Commission. The agency finalized a settlement with Twitter in 2011 after the company allegedly failed to properly protect users’ personal information.

It is unclear when the pieces of Twitter’s source code were posted online or whether the leak exposes Twitter to security vulnerabilities or hackers. It depends exactly what was leaked and who got access to it, said Kurtis Minder, chief executive of cybersecurity company GroupSense.

“Generally speaking source code is sort of the keys to the kingdom,” Minder said. “You generally don’t want your source code dumped like this.”

Source code, a collection of computer code that power websites and features, is quite expansive and could contain cryptographic keys that allow access to other company programs. While it’s possible that hackers could spot a mistake or weakness in the source code and find ways to exploit that, Minder said, it’s “probably unlikely” such a scenario would occur.

Lukasz Olejnik, an independent cybersecurity researcher and consultant, said that he doubts users’ personal information is in danger because of the leak and that the biggest risk for Twitter appears to be “reputational.”

It’s possible many people were able to access the source code, and “once this is leaked, it cannot be put back in the bottle entirely,” he said in an email, adding: “Whether an exploitable vulnerability can be spotted and utilized is difficult to gauge immediately.”

Twitter’s takedown request to GitHub described it as “proprietary source code for Twitter’s platform and internal tools,” while the legal filing called it “various excerpts of Twitter source code.”

Musk has floated the idea before of making some of Twitter’s code more transparent — he said this month that Twitter would “open source” all of the software code it uses to recommend tweets on March 31.

“People will discover many silly things, but we’ll patch issues as soon as they’re found!” Musk wrote on March 18. “Providing code transparency will be incredibly embarrassing at first, but it should lead to rapid improvement in recommendation quality. Most importantly, we hope to earn your trust.”

The New York Times on Sunday was first to report on the legal filing with the U.S. District Court for the Northern District of California.

Gerrit De Vynck and Faiz Siddiqui contributed to this report.