Update 0030h: Well, that was quick. Brandy Baker of Facebook has left a comment which explains the leak. It turns out that it was the result of “single bug on a server” that exposed the code to a “small number of users” that was fixed “immediately”. Which is a fine enough explanation, I suppose. On the other hand, I am no security expert, but I do wonder if the number of users were small, and the time exposed was relatively short, what were the chances among those users was someone malicious enough – and savvy enough – to know enough about Facebook to pull down the source code, and then [turns out you may not need to be savvy at all, as it may have pushed raw code right to the browser] republish it? Perhaps the real issue now is not “Facebook’s security is suspect”, but “what will Facebook do to improve its security now that [a part of] its source code *has* been published?
By the time most of you read this, it will have splattered all across Techmeme and associated blogs. But thanks to a tip at TechCrunch (where else?) it looks like Facebook has been hacked and in a big way. Either that, or its the result of an inside job at Facebook. The end result is that [part of] the source code behind Facebook has been put up on a public blog with a single entry. I am no PHP guru so the exact meaning of said code will be best left for others to deciper, but this is a serious blow to Facebook with respect to how it manages its own security — and therefore, how it manages privacy issues.
Anyway, what I’m about to say next is something we all know, but it bears repeating. One of the many things that makes Facebook “special” is its ability to make sure that the identity that you claim you have is the one you actually have. This has changed somewhat since anyone can sign in and essentially join “no network”, but for many years, there was *some* test to make sure that you were a real person, and that was through the college that you went through (your email address specifically).
For this reason, I think many people probably trust Facebook more than other social networks. They don’t mind using real names. Real jobs. Posting real photos. And letting people know what their real relationships are.
I don’t really need to write any further to tell you that a breach of Facebook’s security could be, as a proxy, an indication of how secure it manages to keep its own information — and in turn *your* information. I mean whether its a technical hack or a social one, that led to this security breach, I shudder to think how the mainstream news media is going to pick up on this, and turn this into one giant spectacle — particularly seeing how large Facebook has gotten (in some cities anyway, such as Toronto) — because the issue does have merit.
What hope do any Facebookers have to safeguard their privacy if Facebook’s own source code has been leaked? In fact, how will its source code *being* leaked lead to *further* security and potential privacy breaches?
I have no idea how this is going to play out, save that the days for Facebook as Web2.0’s golden child may be coming to a quick close with this news. I don’t know what the title of next chapter will be, but I think that it will probably have to do with defending its credibility, which, if it leads to changes in subscription numbers, might in turn lead to serious talks about re-evaluations of its valuations.
Which, of course, would be huge.
