What are the security risks (or not) of making Twitter source code public?
It’s hard to say “politics aside” and be serious these days when talking about Elon Musk, the Tesla and SpaceX CEO, Twitter owner-in-waiting, and richest man in the world.
But seriously, apart from the unending avalanche of commentary on the possible political implications of Musk’s impending Twitter takeover, there is some fairly intense, nonpartisan discussion going on among tech experts about whether his pledge for more transparency could lead to some unintended security risks, both for the platform and its users.
Specifically, Musk has said that to increase transparency and trust, he intends to make public the source code for Twitter’s content-policing algorithms.
This has led to some declarations that Musk is making Twitter an open source platform. But that wouldn’t really change anything because it already is, just like every business in the world.
These days, every business is a software business, and open source software is in virtually every one of their codebases. It also makes up the large majority (nearly 80%) of those codebases.
Kurt Seifried, chief blockchain officer and director of special projects at the Cloud Security Alliance, noted that, “You can’t write a web server/client — you have to use an open source one. They’re too complicated now to build in-house. This goes for most software.”
Indeed, Twitter itself declares that it “has been built on open source since the beginning. Openness is part of our DNA.”
Opening the source
What would be “open” in a different way is Musk’s declared intent to make its source code public.
If he does, it looks like it would fall in line with a bill proposed in February by U.S. Democratic senators Ron Wyden (Oregon) and Cory Booker (New Jersey), and U.S. Rep. Yvette Clark (New York) titled the Algorithmic Accountability Act of 2022 that a Wyden press release said would “bring new transparency and oversight of software, algorithms and other automated systems that are used to make critical decisions about nearly every aspect of Americans’ lives.”
But multiple experts note that transparency for all of us good people means transparency for bad people as well — those who would like to exploit weaknesses in the code or create their own modified versions of it for malicious purposes.
Open source software is no more or less secure than proprietary or commercial, but its ubiquity makes it a very large, attractive attack surface. Indeed, vulnerabilities in the popular open source Apache logging library Log4j, which became public in December 2021, were present in hundreds of millions to billions of systems, services, websites, and devices.
Jamie Moles, senior technical manager at security firm ExtraHop, told TechCrunch that Log4j shows how “widely used open source applications are exponentially more valuable. Making its code open source may increase transparency for Twitter users, but it may also make Twitter a much bigger target for attackers.”
Tim Mackey, principal security strategist within the Synopsys Cybersecurity Research Center, cited another likely, and unwelcome, result. He said if the source code becomes public, it “creates an opportunity for forks or branches of code, thereby changing the Twitter client from being single-source to being available from multiple outlets.”
To avoid using the wrong one, Mackey said “IT departments maintaining employee app stores should ensure that employees use only Twitter mobile clients sourced from Twitter and authenticated as being released by Twitter.”
Jennifer Cobbe, a postdoctoral research associate at the University of Cambridge, told Technology Review that the risks of making the source code public outweigh any transparency benefits, agreeing with others that making source code accessible to all would include access to malicious hackers looking for vulnerabilities.
And Eerke Boiten, a professor of cybersecurity at De Montfort University in the U.K., said open sourcing Twitter’s algorithms could could help bad actors get better at gaming the system, which could make one of Musk’s other stated goals of “defeating all spam bots” even harder.
Of course, Twitter, like any major social media platform, has been a target for cybercriminals since it became popular. BleepingComputer reported just this past week that “numerous reporters at BleepingComputer have been targeted with phishing emails pretending to be from Twitter Verified — Twitter’s verified account platform.”
If account holders are tricked into entering their credentials, those accounts could be used to promote scams. The magazine noted that last year cybercriminals used compromised Twitter accounts to promote a fake cryptocurrency giveaway, allegedly from Musk, that netted them more than $580,000 in a single week.
Rafal Los, vice president and chief strategy officer at Lightstream Managed Services, said an even greater danger would be if criminals or a hostile nation state were able to hack the platform and take over the account of a political leader, like the U.S. president. “Think about what would happen if the president’s account tweeted out ‘We’re invading Russia tomorrow,’ or something like that,” he said. “It could cause chaos.”
But he also argued that the risks of bad actors gaming the algorithms if the source code becomes public are worth it. “Laws that are meant to protect us are transparent and open,” he said. “Sure, people find creative ways to subvert the spirit of the law while technically not breaking it. But if the laws we live by were not transparent, we’d all be uncertain how and with what rules we were being governed.”
“Uncertainty creates paranoia and breeds conspiracy theories that you can’t prove or disprove,” he added. “That creates division and eventually leads society into a dark place.”
Seifried further noted that manipulating the system on Twitter is not new. “They [users] already game things,” he said. “You don’t need access to the source code to figure out what the source does. You can do black-box testing, feed it inputs, and observe the outputs, like people do with Google SEO [search engine optimization].”
He also doesn’t see a big risk of “imposter” Twitters by people who modify the code. “I could give you all the Twitter source code,” he said. “How are you going to run it at scale? Where do you find the competent people? Even if you do, how do you get hundreds of millions of people to switch over?”
And Los said there have been “many attempts at cloning or redoing the platform — all have miserably failed because the adoption of Twitter is so wide and fervent. Making the code open source raises that possibility — and we’re talking the entire codebase here — but I think that’s unlikely. Making the algorithms public and open source is more likely and a good idea.”