The code used on social networking site Facebook can’t buy its way out of the press these days!
While a legal battle over code copyright is motoring on in the background, it turns out some PHP code used on the Facebook frontpage has come into the public domain (Techcrunch).
The code has been republished on Facebook Secrets, a one post blogspot blog.
While the code can’t really be reproduced or used by an outsider for other projects , it does identify the directory structure used by Facebook and could possibly result in a few hack attempts.
Nik Cubriliovic (Techcrunch) comments that
…this leak is not good news for Facebook, as it raises the question of how secure a Facebook users private data really is. If the main source code for a site can be leaked, then it can be said that almost anything is possible……..
…..they will also need to take some very quick short term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems. At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform
Brandee Barker, a representative of Facebook, commented on the code leak within Techcrunch’s comments..
Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.
Bloggers who republish the code can expect a few Cease & Desist’s by the sounds of Brandee Barker’s response. But what measures are Facebook going to take to ensure that something like this doesn’t happen again? The word on the web is that code leaks have occurred on Facebook before but this is the first time any leaked code was published.
It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue). It is also apparent that other pages have been revealed, and that this problem has occured before, but only now has somebody actually posted the code online.
Nik Cubrilovic ,the publisher of the article on Techcrunch, has posted some useful tips on his personal blog which may prevent a similar code leak incident happening on a server again.
I wonder if Facebook will notify their users of the leak? Their blog hasn’t been updated in four days and there is no mention of the leak on their website whatsoever.
If you're new here, you may want to subscribe to my RSS feed. Thank you for visiting! Cormac
4 responses so far ↓
wow - very scary stuff. reading about it on a blog rather than on facebook is crazy - I think the myspace boys would have at least had the courtesy to mention it..
Niall, it’s a bit of a worry alright. Still no mention on their blog or anywhere on their site. Since Facebook pride themselves on their lack of spam, you’d think they’d alert their users of potential security issues.
But I suppose if they do alert them, they might panic unnessarily. They don’t seen to want to rock the apple cart.
From their explanation (mod_php not working) it isn’t really a security threat or a worry at all and the code leaked isn’t all that revalatory.
David, there may not be any cause for panic as a result of this leak, but it’s happened before and may happen again.
Facebook have to date shown that they’re incapable of securing their sever to the level of which their thousands of users should expect.
I removed my personal info, changed my password to a unique one and I used a ‘dummy’ email account for my notifications as a precaution.
I doubt FB will be severly breached or that any hack attacks will target user info but I’m not taking that chance.
Cormac
Leave a Comment