Update 0030h: Well, that was quick. Brandy Baker of Facebook has left a comment which explains the leak. It turns out that it was the result of “single bug on a server” that exposed the code to a “small number of users” that was fixed “immediately”. Which is a fine enough explanation, I suppose. On the other hand, I am no security expert, but I do wonder if the number of users were small, and the time exposed was relatively short, what were the chances among those users was someone malicious enough – and savvy enough – to know enough about Facebook to pull down the source code, and then [turns out you may not need to be savvy at all, as it may have pushed raw code right to the browser] republish it? Perhaps the real issue now is not “Facebook’s security is suspect”, but “what will Facebook do to improve its security now that [a part of] its source code *has* been published?
By the time most of you read this, it will have splattered all across Techmeme and associated blogs. But thanks to a tip at TechCrunch (where else?) it looks like Facebook has been hacked and in a big way. Either that, or its the result of an inside job at Facebook. The end result is that [part of] the source code behind Facebook has been put up on a public blog with a single entry. I am no PHP guru so the exact meaning of said code will be best left for others to deciper, but this is a serious blow to Facebook with respect to how it manages its own security — and therefore, how it manages privacy issues.
Anyway, what I’m about to say next is something we all know, but it bears repeating. One of the many things that makes Facebook “special” is its ability to make sure that the identity that you claim you have is the one you actually have. This has changed somewhat since anyone can sign in and essentially join “no network”, but for many years, there was *some* test to make sure that you were a real person, and that was through the college that you went through (your email address specifically).
For this reason, I think many people probably trust Facebook more than other social networks. They don’t mind using real names. Real jobs. Posting real photos. And letting people know what their real relationships are.
I don’t really need to write any further to tell you that a breach of Facebook’s security could be, as a proxy, an indication of how secure it manages to keep its own information — and in turn *your* information. I mean whether its a technical hack or a social one, that led to this security breach, I shudder to think how the mainstream news media is going to pick up on this, and turn this into one giant spectacle — particularly seeing how large Facebook has gotten (in some cities anyway, such as Toronto) — because the issue does have merit.
What hope do any Facebookers have to safeguard their privacy if Facebook’s own source code has been leaked? In fact, how will its source code *being* leaked lead to *further* security and potential privacy breaches?
I have no idea how this is going to play out, save that the days for Facebook as Web2.0’s golden child may be coming to a quick close with this news. I don’t know what the title of next chapter will be, but I think that it will probably have to do with defending its credibility, which, if it leads to changes in subscription numbers, might in turn lead to serious talks about re-evaluations of its valuations.
Which, of course, would be huge.
16 Comments
Facebook has responded: http://www.techcrunch.com/2007/08/11/facebook-source-code-leaked/#comment-1551812
It was a temporary server misconfiguration, not a security breach, and didn’t compromise any user data.
Yep … just saw that. ;)
It warrants an update of the article, no? (given the “Facebook Hacked” headline, etc.)
Could a server misconfiguration send out the whole source code in its entirety when you put in the Facebook URL?
Provided the “misconfiguration” was forgetting to add the handler/load the extension for PHP in Apache, then, yes, any client-facing PHP files would be sent as text to the browser if you requested them.
Tony: I don’t understand your question. A misconfiguration could serve the display code of the page a user is trying to access. So code for multiple pages could be displayed depending on where users navigate.
Well, I guess that’s the answer to my question. Thanks guys.
Also: I haven’t seen any claim that the “entire Facebook source” was released. For one thing, the bug could only display the highest (presentational) tier of the codebase, which is the least important. For another, I’ve only heard reports of 3-4 source files being made public.
No, you’re right — its only a small part of it. Also corrected.
Apparently, no one is allowed to fart in the New World.
While the Facebook phenomena is amazing what’s even more impressive is how much information people are willing to offer up about their personal lives, jobs, families, activities, interests, etc. It’s like we’re living in this age of total transparency where people are happy not to have private lives – at least when it comes to their digital existences.
Don: Or, sneeze, or take a piss, or have a bag of chips. In the grand scheme of things, you’re right, its not big news, thankfully.
Mark:
No question. I guess another question is that this particular leak may not have been significant, but what happens if one happens which *is*? The very fact that people share so much on Facebook is what make the phenomenon what it is — and yet, its what makes a security threat that much more significant.
I created a new Facebook account over the weekend, confirmed my registration and proceeded to add friends, edit profile information, etc. However, after logging out, I could not get back in… and trying to recover my password gave me a message saying that my email address was not registered. I was even able to recreate a new account using the same email address… GRRR! Has anyone else experienced this issue, or could this be related to source code exposure?
Facebook is now calling these concerns “kinks” and, when you read the fine print, cannot even garentee the safety of the applications and, thus, shirks its responsibilities to users safety by adding a sentence that amounts to “use at your own risk”.
Talking smileys, the “webfetti” toolbar has Adware attached to it … heavan forbid there are actually clever script kiddies authoring these “applications” and distributing them to the unsuspecting masses.
There is even a chain mail going around that warns people of a hacker, citing an email address, and recommending no one accept his friend request “because he will get your computers ID”. This may be a load of crap but it begs the question of whether or not ones IP address is vulnerable to those on their friends network – and what facebook plan to do to ensure the safety of its users.
I do wonder, in lieu of the recent lawsuits associated with the developers of facebook, whether people have rushed into a cyber-fad that is nothing more than a large database information on virtually anyone to harvest from.
Too many teething problems, security flaws and “kinks” nullify the viability of the facebook project. At least as it stands today.
Listening to you guys is like attending a seminar with a panel of speakers discussing, in Greek, the molecular properties of black holes. Great if you are a Greek speaking solar phyicist (excuse the spelling, it’s late)I arrived in on the reparte among you fellows while trying to investigate the new requirements in downloading Smiley Faces on Facebook. I am a real neophyte to the world of the Internet. Although I posess a humble BA/Arts and a certificate in Admin. Assist/Computer Appls, I have learned what I know on the Internet by trial and error. I have only used the internet at Employment Centres up to now. I have a homebuilt PC with 256 RAM and 7.78 Harddrive. Therefore, I was reluctant to download anything that would slow down or shut down my humble computer. I really enjoyed sending and receiving Talking Smileys on Facebook. Not excessively, of course. I even sent to my self occassionly for a quick laugh. Imagine my shagrin (sp? haven’t time to consult the ole Webster’s) when I discovered I had to download FlashPlayer. Having decided that this “might” be a safe move I proceeded to do so. Meanwhile, in a moment of internet abondone I had foolishly downloaded Wedfetti. I notice problems with my impotent PC right away, not that that was necessarily the cause as if I would know anyway. In any case, after much trial and error I rid myself of this pest to lo and behold I found this pesty criter now on Facebook’s Talking Smiley’s as a requirement to downloading. This is what lead me to you esteemed gentelmen. I just want you to know that we ignorant masses will not go down without protest and if you really want to be of help to people like myself, please include in your link (is that what you how you refer to the info line I clicked on to?) some information that your average S.O.B can understand.
Thanks guys!
Theresa Duplessis
Fredericton New Brunswick (Maritimes
Canada
9 Trackbacks
[...] quickly after the post appeared on TechCrunch the Facebook patrol was out with the firehoses with Brandee Barker telling the TechCrunch readership that it was due to a misconfiguration of a single server that was quickly [...]
[...] today TechCrunch posted an item regarding Facebook servers exposing raw PHP code, with blogosphere echo chamber making its rounds, telling a more negative story each time [...]
[...] blogosphere is talking about facebook’s source code being leaked and though most people (including myself) can’t make sense of the leaked code, it does beg an important question: what does this mean for the safety and privacy of our personal [...]
[...] its source-code was leaked or whether it simply had a server issue. Check out TechCrunch and Deep Jive Interests for all the [...]
[...] recent press over Facebook’s now famous leak has prompted people to educate others on how to not have this happen. Apparently the fix is [...]
[...] Deep Jive Interests » Facebook Hacked! (Or Rather, The Door Was Left Unlocked) [...]
[...] Deep Jive Interests » Facebook Hacked! (Or Rather, The Door Was Left Unlocked) [...]
[...] Deep Jive Interests » Facebook Hacked! (Or Rather, The Door Was Left Unlocked) [...]
[...] I liked Tony Hung’s response to a commenter on Deep Jive Interests who thought an update to Tony’s original post was [...]