With key source code already in the hands of malicious entities worldwide, anything worse has been made possible now …
Recently, social media platform Twitter had parts of their source code leaked on GitHub, whereupon the firm succeeded in getting the code taken down.
According to the New York Times (NYT), the leaked code may have been exposed for several months prior to being taken down. The moniker used by the offender for releasing the code was “FreeSpeechEnthusiast”, referencing Twitter’s CEO Elon Musk’s previous use of the term “free speech absolutist”.
The NYT also mentioned that Twitter executives had suspected that a disgruntled ex-employee may be responsible for the leak, after Musk’s staff-culling exercise to uproot internal dissension and controversy.
How could this incident have been allowed to happen on GitHub? According to Tim Mackey, Head of Supply Chain Risk Strategy, Synopsys Software Integrity Group, the ability to publish source code to a company-owned GitHub repository should be subject to multiple governance controls and reviews. “Occurrences such as what Twitter has experienced should be managed by the same processes that any organization would use to determine if and when they might want to ‘open source’ a project. While such controls would help to protect the source code repository for an organization, it is worth noting that when a developer works on a branch of source code, he/she will be using a personal account. Ideally for corporate users, that ‘personal account’ is part of an enterprise managed repository with appropriate access controls that restrict access to only approved users.”
Mackey added: “Of course, the publication of source code and its subsequent removal doesn’t mean that someone didn’t copy that source code while it was public. Anyone having done so would have the ability to analyze the source code and identify if there are any exploitable weaknesses. This is precisely the type of scenario that source code governance controls are designed to protect against.”
Other experts around the world have surmised that the creation of this source code leak is meant as a “diversion for a bigger attack” in the pipeline.