Open source concerns
While it is relatively easy to share source code with the public — simply publish the code in a public repository like GitHub — Twitter will need to be careful as they consider what to share.
As with any code, there will be parts that shouldn’t be exposed. As background, a platform such as Twitter is built on numerous algorithms that perform different functions, but some of the more interesting ones are those that monitor and manage the popularity of tweets. Some are used to actively promote and prioritise tweets and others for determining which posts become the most popular on the platform. For example, there is an algorithm that browses through new posts, checking to see what hashtags are being used and ranks them as trending based on overall hashtag use. These algorithms ultimately decide what posts, and points of view, gain attention. One of the interesting things about Musk wanting to open-source Twitter’s algorithms will be understanding how much value there is in those algorithms versus the data they process.
Those of us who work with Machine Learning will be familiar with the notion that “there’s nothing special about ML, it’s the data that’s special.” This idea, first suggested by Google, underlines that most ML algorithms are quite generic, and the value comes from the data you feed into them — rubbish in, equals rubbish out.
While we sit on tenterhooks to see what might be revealed, in the end Twitter’s algorithms may not be that exciting at all. They might, in fact, be quite generic. And just maybe, similar algorithms will already be in use by other social media giants or newcomers. Could it simply be that Twitter’s user base and the tweets they produce are what makes Twitter special?
Open source: a preview of Twitter’s architecture
When you open up the bonnet of a car and look underneath, you can get a view of the functions of the engine which can lead to a better understanding of how that engine functions. If Twitter’s algorithms are open sourced, threat actors will be able to get a glimpse under Twitter’s metaphorical hood which could give them a deeper understanding of how Twitter has been built, which in turn could provide clues on how to attack the platform or any other systems built with the code. As we've seen with Log4Shell and Spring4Shell, vulnerabilities in widely used open source applications are exponentially more valuable. Making its code open source may increase transparency for Twitter users, but it may also make Twitter a much bigger target for attackers.
Musk may also open up the Twitter API, allowing others to code software that interacts with Twitter — something drastically reduced under Jack Dorsey’s leadership. Supporting third-party development through an API has the potential to open the platform up to threat actors. As with any intrusion, threat actors will test the platform to see if they can extract sensitive data, which could lead to another scenario like the Facebook / Cambridge Analytical scandal.
User security implications
Of course, the security implications go much further if threat actors manage to break into Twitter and scrape user details. A lot of people on the platform use pseudo-anonymous identities, which is particularly important for vulnerable people. For example, people living in a country governed by a totalitarian regime who use the platform to speak out while hiding their true identity. Twitter is very popular with journalists in China, Venezuela, Saudi Arabia and other strict regime countries who wish to exert control over the press.
Three significant risks from such an exploit would be theft of user data, revealing Personally Identifiable Information (PII) or impersonating someone on the platform. The latter may not sound as serious, but imagine how many people would view a tweet if it looked like it came from Musk. Twitter’s ability to influence society and elections means impersonating on the platform could have huge ramifications. But so does opening up the algorithms.
The war against bots
Musk has stated that he's on a mission to eliminate bots on the platform, which may actually help security professionals.
There are two primary types of bot functioning on Twitter — ad bots and influence bots. Ad bots are bits of code that access Twitter, monitor hashtags that are popular and then add those hashtags to their own advertising posts to make it more prominent in users’ feeds. Essentially hijacking the popularity of hashtags.
Influence bots are potentially more insidious and typically pop up around important events like elections to influence the outcome. They achieve this by using the algorithms that monitor the popularity of posts by counting the number of retweets a post gets to extend their reach to larger audiences.
You only need one of those bots to be within close proximity to your account to see its message, which may happen if you share similar interests or follow the same people. However, influence bots are fairly easy to spot. Most post the exact same message in quick succession, for example, “Don’t vote for Mr. Smith, he kicks kittens”.
One way that Twitter could eliminate these bots is to search for tweets that are exactly the same and then silence those accounts for 30 days or terminate the accounts completely. The risk is that you can get legitimate people commenting and reposting on those posts, which would require more diligence to detect and separate from bot accounts. What we could see from Musk’s crackdown is an increase in legitimate users being blocked, but they are far more likely to complain to support than a bot will and have their block removed.
Assuming Musk does a good job of eliminating bots, the open-sourced software would likely be used by other platforms fighting the growing bot problem. This goes beyond social media sites to computer games and online gambling sites where poker bots play a perfect game and effectively steal other players’ money.
Future for phishing
If Musk successfully creates an algorithm that eliminates bots, a potential advantageous outcome would be the creation of new techniques that could improve the detection and identification of threats such as spam emails, spam posts, and other malicious intrusion attempts.
Threat actors only need a 1% success rate through phishing attacks to breach a network or account and so they use mass email distribution, relying on the trusting element of human nature for their target to open the email. There are technologies that check emails en masse to identify and remove malicious links and attachments, which should be dovetailed with constant education on current techniques, motivations and outcomes.
Phishing attacks are ubiquitous in everyday life — even those of us experienced in cybersecurity can be caught out by the quality of modern phishing emails, posts and texts. Enhancing the technologies to identify these phishing attempts while buffering unavoidable human error would save companies millions.
Opening up the Twitter platform increases the potential for abuse - from those who want to game the Twitter algorithm but also to threat actors who want to exploit user data or profiles. It will be interesting to see if and how Musk will control this, and the missteps that happen along the way.
Jamie Mole brings more than 30 years of technology and cybersecurity experience to his role as senior technical manager at ExtraHop where he helps customers understand and mitigate the risk contemporary threats pose to their business. In the early 1990s, he was one of the UK's leading experts on computer viruses, authoring his own virus scanner for MSDOS before joining Symantec as technical support lead for their cybersecurity product range, including the new Norton AntiVirus product. He’s also held numerous engineering roles at organisations across a variety of industries including healthcare, infrastructure, and finance.