Update: 4.7.08 @ 2115h: Looks like ZDNet was hit, as per John’s comment below, via an xml-rpc hack, and no — they aren’t running an old version of WP either, which makes one wonder how vulnerable the newer versions of Wordpress are.

Just to recap: earlier, I documented how Tailrank’s “spam” was accidentally documenting some massive hacking efforts into blogs around the world. What I didn’t realize was that one of the “victims” were one of the more more well known tech blogs in the blogosphere, ZDnet.

Thanks to some intrepid screen capturing it looks like Allen Stern has shown that at one time ZDnet’s own blogs may have been hacked. If you head over to Tailrank, you’ll find that under the “technology” section (as of this writing) there is a ton of credit-card spam. However, as I mentioned yesterday, these are all legitimate blogs that have been hacked.

What’s surprising is that a lot of them are blogs from ZDnet, such as Steve Gillmor’s Inforouter, or ITFacts. As I mentioned yesterday, the probable reason why they are showing up as “spam” is because the security of those blogs were hacked and malicious ‘invisble’ code was inserted, which is what Tailrank is picking up (by accident!)

I was twittering with Matt Craven last night who wondered if Wordpress vulnerabilities were the issue. That, in fact, *may* be the case, as certainly ZDnet are running pretty old versions of Wordpress which are probably sensitive to security breaches — in fact, if you look up the source code, they are running, as of this writing, Wordpress 2.1.3, which, in fact is more than a year old.

addendum: As per John from CNet below, they are not.

As of this writing, it looks like ZDnet has scraped out all of the ‘invisible’ code / links through cleaning up their headers, but they’ll do to upgrade to a more secure version of Wordpress (and its a lesson we should all take heed!).

MORE: Wondering where some of the Wordpress hackers come from? (not all, of course) Abe Olandres, former editor of the BlogHerald, notes that some of them are Philipino. He’s worked on some security problems in Wordpress and has found some of the comments to be in Tagalog. Furthermore, he sheds some light on exactly the kinds of Wordpress exploits that some hackers are using. <Disclaimer: Again, I am not suggesting that all hackers are Philipino, I only use the post to illustrate the issue>

I’m embarassed to say that I actually knew this tip a while ago, but never got around to implementing it until I read about it *again* today.  Embarassed because this blog has been hacked a few times, and in a fairly devious fashion as well, sometimes perhaps because of an old Wordpress installation — or, perhaps because of insecure folders (which makes me think someone behind Wordpress should really fix it).

What’s this tip?  Oh, a simple fix to get around securing your Plugins folder.

If you’re running Wordpress, unless you’ve already locked down your Wp-content folder with some .htaccess fixes, you may not notice that your Wp-content/plugins folder is naked and bare to the world.  That is, navigate to http://www.yourblogname.com/wp-content/plugins and you may find a directory listing of your plugins folder, files and all.  How do you fix it?  Easy.  Just upload an empty index.html into the wp-content/plugins folder and its all fixed.

Just out of curiosity, I decided to check the plugins folders of some other bloggers that I knew — whole some did have this fixed, a surprising number did *not*.

If you haven’t locked down your plugins folder, please do so, because for many people its showing, and its just about as easy to fix as doing up your zipper.

Update 0030h: Well, that was quick. Brandy Baker of Facebook has left a comment which explains the leak. It turns out that it was the result of “single bug on a server” that exposed the code to a “small number of users” that was fixed “immediately”. Which is a fine enough explanation, I suppose. On the other hand, I am no security expert, but I do wonder if the number of users were small, and the time exposed was relatively short, what were the chances among those users was someone malicious enough – and savvy enough – to know enough about Facebook to pull down the source code, and then [turns out you may not need to be savvy at all, as it may have pushed raw code right to the browser] republish it? Perhaps the real issue now is not “Facebook’s security is suspect”, but “what will Facebook do to improve its security now that [a part of] its source code *has* been published?

By the time most of you read this, it will have splattered all across Techmeme and associated blogs. But thanks to a tip at TechCrunch (where else?) it looks like Facebook has been hacked and in a big way. Either that, or its the result of an inside job at Facebook. The end result is that [part of] the source code behind Facebook has been put up on a public blog with a single entry. I am no PHP guru so the exact meaning of said code will be best left for others to deciper, but this is a serious blow to Facebook with respect to how it manages its own security — and therefore, how it manages privacy issues.

Anyway, what I’m about to say next is something we all know, but it bears repeating. One of the many things that makes Facebook “special” is its ability to make sure that the identity that you claim you have is the one you actually have. This has changed somewhat since anyone can sign in and essentially join “no network”, but for many years, there was *some* test to make sure that you were a real person, and that was through the college that you went through (your email address specifically).

For this reason, I think many people probably trust Facebook more than other social networks. They don’t mind using real names. Real jobs. Posting real photos. And letting people know what their real relationships are.

I don’t really need to write any further to tell you that a breach of Facebook’s security could be, as a proxy, an indication of how secure it manages to keep its own information — and in turn *your* information. I mean whether its a technical hack or a social one, that led to this security breach, I shudder to think how the mainstream news media is going to pick up on this, and turn this into one giant spectacle — particularly seeing how large Facebook has gotten (in some cities anyway, such as Toronto) — because the issue does have merit.

What hope do any Facebookers have to safeguard their privacy if Facebook’s own source code has been leaked? In fact, how will its source code *being* leaked lead to *further* security and potential privacy breaches?

I have no idea how this is going to play out, save that the days for Facebook as Web2.0’s golden child may be coming to a quick close with this news. I don’t know what the title of next chapter will be, but I think that it will probably have to do with defending its credibility, which, if it leads to changes in subscription numbers, might in turn lead to serious talks about re-evaluations of its valuations.

Which, of course, would be huge.