Twitter has taken down internal source code for its platform and tools that was leaked on GitHub for months. Now it’s using a subpoena to search for those who leaked and downloaded its code.
On Friday, GitHub complied with a DMCA infringement notice issued by Twitter because the leak exposed proprietary source code and internal tools, which could pose a security risk to Twitter.
According to the DMCA notice, the leak came from someone using the handle “FreeSpeechEnthusiast,” a clear reference to Elon Musk’s calling himself a free speech absolutist and suggesting that they are a disgruntled Twitter employee.
According to a report from The New York Times, it is unclear when the code was leaked, but the publication says that “it appeared to have been public for at least several months.”
As a solution for the copyright infringement, Twitter indicated that GitHub should provide info about the access history for the leak, likely to determine who downloaded or copied the code.
“Please preserve and provide copies of any related upload / download / access history (and any contact info, IP addresses, or other session info related to same), and any associated logs related to this repo or any forks thereof, before removing all the infringing content from Github,” reads the Twitter DMCA notice to GitHub.
The leaker’s GitHub account is still active but no longer has any public repositories. However, its past activity shows that the user’s first contribution (e.g., committing to a repo or opening an issue/discussion) was on January 3.
Twitter is now attempting to use a subpoena to force GitHub to provide identifying information regarding the FreeSpeechEnthusiasm user and anyone who accessed and distributed the leaked Twitter source code, which would be used for further legal action.
“All identifying information, including the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the user(s) associated with the following GitHub username: FreeSpeechEnthusiast. Please include all identifying information provided when this account was established, as well as all identifying information provided subsequently for billing or administrative purposes.
“All identifying information, including the name(s), address(es), telephone number(s), email address(es), social media profile data, and IP address(es), for the users who posted, uploaded, downloaded or modified the data at the following URL [FreeSpeechEnthusiasm’s public GitHub repo].”
In a reply to BleepingComputer, GitHub said that they didn’t have anything else to add, as it is the general policy of the platform not to comment on decisions to remove content.
It is unknown how many people accessed or downloaded Twitter’s leaked source code, but the leaker had few followers. Even so, the leak could have repercussions for Twitter as the code may be scrutinized to find potentially exploitable vulnerabilities.
BleepingComputer has contacted Twitter with a request for a comment on the above, but we have not received a meaningful response yet.
In February 2023, Twitter’s owner and CEO, Elon Musk, announced that the company would open source the platform’s algorithm soon, although a timeline has yet to be defined.
On March 31, though, Twitter is expected to open source the code used for recommending tweets, according to a message on the platform from Musk.
Source: https://www.bleepingcomputer.com/news/security/twitter-takes-down-source-code-leaked-online-hunts-for-downloaders/