Like a neighborhood watch patrolling suburban streets at night, there’s a small but devoted group of volunteers working to prevent Twitter from being attacked or exploited.
“We do what we know,” stated Stefano Di Paola, founder and Chief Technical Officer of Web security firm Minded Security. “If you were a chemical analyst wouldn't you test at least one time the water you usually drink for the sake of your (and other people's) health? We are security experts; we test applications for our and other people's safety.”
Based in Florence, Italy, Di Paola is one of a few dozen volunteers who help Twitter squish bugs and patch up holes. The group hails from all over the world, residing in places like Glasgow, Mumbai, and Boston, but they share a common goal: to stop hackers with more insidious intentions from getting inside Twitter’s systems.
The security researchers help out Twitter by trawling through the code and databases, alerting Twitter to anything that seems suspicious or strange. For example, Melvin Lammerts, a Dutch Web developer, spotted and helped resolve an issue that may have stopped Twitter users from visiting a website they weren’t expecting:
“A while ago, I noticed that the Twitter (t.co) URL shortening system's parsing (reading) and rendering (displaying) systems work different. After a few days of trying out different combinations of unicode characters, I managed to create a tweet that showed a link to, for example, twitter.com, but went to fake-twitter.com. This issue made Twitter vulnerable to phishing attacks so I reported the issue to Twitter's security team.”
Di Paola doesn’t spend as much time finding such issues as he used to, owing to family and work commitments. Still, he told us that many “researchers consider the identification of security issues a fun and challenging activity.” That is, as long as the owner of a Web property lets researchers test those potential flaws while trusting them not to exploit those security gaps.
When Twitter went down for a few hours last week, it wasn’t because of hackers. The site had a “cascading bug” that coursed through the code, rendering Twitter useless for a spell. (Mazen Rawashdeh, Twitter’s vice president of engineering, could not be reached for comment for this story.)
Lammerts isn’t so sure the volunteer troop could have caught the bug in time.
“Twitter has a great engineering team and problems like this can happen to any big website,” he said. “Because it's impossible to precisely duplicate the 'public' Twitter environment, it's very hard for developers to eliminate every issue, even if there's a whole team of volunteer debuggers working on it.”
That said, the group has achieved a few major accomplishments. In 2010, Di Paola spotted an issue that could have allowed a worm to infiltrate the Twitter’s website. Twitter didn’t believe his claims at first, since the bug didn’t show up in the Safari Web browser. (Twitter HQ is heavy on Mac usage.) However, he eventually convinced Twitter the bug exists in other Web browsers and the company eventually fixed the issue.
The drive to find bugs isn’t entirely altruistic, however. Google and Facebook both have bug bounty programs, where they reward researchers for identifying flaws within the systems. That’s what initially inspired to Milad Bahari, a security researcher based in Iran.
His work for Twitter is different, though. He claimed he test Twitter “almost for fun,” adding that “concentrating on it will let you test your knowledge.”
Like with most volunteer gigs, there’s little in the way of reward for these so-called ethical hackers. But thankfully, they’re determined to fight the good fight--even if it means doing so on their own time and terms.
Photo of Stefano Di Paola via Twitter