dipaola
Meet the so-called "ethical hackers" who help Twitter squish bugs and patch up holes. 

Like a neighborhood watch patrolling suburban streets at night, there’s a small but devoted group of volunteers working to prevent Twitter from being attacked or exploited.

“We do what we know,” stated Stefano Di Paola, founder and Chief Technical Officer of Web security firm Minded Security. “If you were a chemical analyst wouldn't you test at least one time the water you usually drink for the sake of your (and other people's) health? We are security experts; we test applications for our and other people's safety.”

Based in Florence, Italy, Di Paola is one of a few dozen volunteers who help Twitter squish bugs and patch up holes. The group hails from all over the world, residing in places like Glasgow, Mumbai, and Boston, but they share a common goal: to stop hackers with more insidious intentions from getting inside Twitter’s systems.

The security researchers help out Twitter by trawling through the code and databases, alerting Twitter to anything that seems suspicious or strange. For example, Melvin Lammerts, a Dutch Web developer, spotted and helped resolve an issue that may have stopped Twitter users from visiting a website they weren’t expecting:

“A while ago, I noticed that the Twitter (t.co) URL shortening system's parsing (reading) and rendering (displaying) systems work different. After a few days of trying out different combinations of unicode characters, I managed to create a tweet that showed a link to, for example, twitter.com, but went to fake-twitter.com. This issue made Twitter vulnerable to phishing attacks so I reported the issue to Twitter's security team.”

Di Paola doesn’t spend as much time finding such issues as he used to, owing to family and work commitments. Still, he told us that many “researchers consider the identification of security issues a fun and challenging activity.” That is, as long as the owner of a Web property lets researchers test those potential flaws while trusting them not to exploit those security gaps.

When Twitter went down for a few hours last week, it wasn’t because of hackers. The site had a “cascading bug” that coursed through the code, rendering Twitter useless for a spell. (Mazen Rawashdeh, Twitter’s vice president of engineering, could not be reached for comment for this story.)

Lammerts isn’t so sure the volunteer troop could have caught the bug in time.

“Twitter has a great engineering team and problems like this can happen to any big website,” he said. “Because it's impossible to precisely duplicate the 'public' Twitter environment, it's very hard for developers to eliminate every issue, even if there's a whole team of volunteer debuggers working on it.”

That said, the group has achieved a few major accomplishments. In 2010, Di Paola spotted an issue that could have allowed a worm to infiltrate the Twitter’s website. Twitter didn’t believe his claims at first, since the bug didn’t show up in the Safari Web browser. (Twitter HQ is heavy on Mac usage.) However, he eventually convinced Twitter the bug exists in other Web browsers and the company eventually fixed the issue.

The drive to find bugs isn’t entirely altruistic, however. Google and Facebook both have bug bounty programs, where they reward researchers for identifying flaws within the systems. That’s what initially inspired to Milad Bahari, a security researcher based in Iran.

His work for Twitter is different, though. He claimed he test Twitter “almost for fun,” adding that “concentrating on it will let you test your knowledge.”

Like with most volunteer gigs, there’s little in the way of reward for these so-called ethical hackers. But thankfully, they’re determined to fight the good fight--even if it means doing so on their own time and terms.

Photo of Stefano Di Paola via Twitter

Promoted Stories Powered by Sharethrough
Business
Samsung's response to a customer whose phone caught fire only made things worse
Damage control is a tricky thing: One wrong move can make a small crisis exponentially worse. Such is the case for Samsung, which moved to suppress YouTube evidence that its Galaxy S4 smartphone can catch fire for no reason at all, only to have the original poster call the company out for it in a second video that received five times as many views as the first.
Business
Dirty digital politics: How users manipulate Twitter to silence foes
There are any number of ways to describe Leah Sargent. She’s an outspoken Madisonian conservative and anti-abortion advocate. She loves God, country music, and Tim Tebow, presumably in that order.
The Latest From Daily Dot Video
Group

Pure, uncut internet. Straight to your inbox.

Thanks for subscribing to our newsletter!