The Twitter Engineering Blog

Information from Twitter's engineering team about our technology, tools and events.

Posts from Engineering: security

Bug Bounty, 2 years in

Security on a global platform like Twitter is a 24/7 job – we are constantly evolving to respond to new threats and attacks against our users and our systems. In order to stay ahead of the game we staff dedicated account-, network-, enterprise-, corporate-, and application-security teams, as well as an incident detection and response team.


Fixing a recent password recovery issue

We recently learned about — and immediately fixed — a bug that affected our password recovery systems for about 24 hours last week. The bug had the potential to expose the email address and phone number associated with a small number of accounts (less than 10,000 active accounts). We’ve notified those account holders today, so if you weren’t notified, you weren’t affected.


Sunsetting SHA-1

Implementing SHA-256 where we can, and addressing older certificates as needed.


Greater privacy for your Twitter emails with TLS

Protecting users’ privacy is a never-ending process, and we are committed to keeping our users’ information safe. Since mid-January, we have been protecting your emails from Twitter using TLS in the form of StartTLS. StartTLS encrypts emails as they transit between sender and receiver and is designed to prevent snooping.


Mesos 0.15 and Authentication Support

With the latest Mesos 0.15.0 release, we are pleased to report that we’ve added initial authentication support for frameworks (see MESOS-418) connecting to Mesos. In a nutshell, this feature allows only authenticated frameworks to register with Mesos and launch tasks. Authentication is important as it prevents rogue frameworks from causing problems that may impact the usage of resources within a Mesos cluster.


Forward Secrecy at Twitter

As part of our continuing effort to keep our users’ information as secure as possible, we’re happy to announce that we recently enabled forward secrecy for traffic on,, and On top of the usual confidentiality and integrity properties of HTTPS, forward secrecy adds a new property. If an adversary is currently recording all Twitter users’ encrypted traffic, and they later crack or steal Twitter’s private keys, they should not be able to use those keys to decrypt the recorded traffic.


Login verification on Twitter for iPhone and Android

At Twitter, we want to make it easy as possible to secure your account. Designing a secure authentication protocol is tough; designing one that is also simple and intuitive is even harder. We think our new login verification feature is an improvement in both security and usability, and we’re excited to share it with you.


CSP to the Rescue: Leveraging the Browser for Security

Programming is difficult — and difficult things generally don’t have a perfect solution. As an example, cross-site scripting (XSS) is still very much unsolved. It’s very easy to think you’re doing the right thing at the right time, but there are two opportunities to fail here: the fix might not be correct, and it might not be applied correctly. Escaping content (while still the most effective way to mitigate XSS) has a lot of “gotchas” (such as contextual differences and browser quirks) that show up time and time again.