summaryrefslogtreecommitdiff
path: root/wired/old/published/Webmonkey/Monkey_Bites/2007/08.13.07/Mon/Facebook.txt
blob: 2f90e8801bf65d8413582913cdd0af1020592d86 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

Owing to a misconfigured server, Facebook exposed its homepage code to what the company called "a handful of users" over the weekend. The leaked code was promptly posted on a new blog, [Facebook Secrets][1], for all of the internet to see. 

Although Facebook hasn't specified what exactly was wrong with the server, it seem reasonable to conclude that some sort of mod_php error caused apache to serve the code as an ordinary text file rather than processing it as PHP. 

The code leak does not constitute a security breach and there's probably no immediate reason to be concerned about your data. However, given the number of listed includes and auxiliary files listed, hackers now have a much better idea of how Facebook works and where potential vulnerabilities may lie. And it's hardly comforting that such an amateur programming mistake is happening at a site the size Facebook.

PHP is notorious for just this sort of thing -- serving code as text -- but there are ways you prevent it from happening on your own site. The easiest and most effective way is to use the Apache module mod_security, which can detect and stop PHP source code from being sent at plain text.

Regrettably for it, Facebook apparently wasn't using mod_security on the particular server that was misconfigured. 

One group that should be quite happy with the leak is ConnectU the company currently embroiled in a lawsuit with Facebook which alleges that the later stole code from the former. If the alleged code happened to be on Facebook's front page, ConnectU's case just got a whole lot stronger, though ConnectU hasn't said anything to that effect.

Given the amount of personal data that many people have dumped into Facebook, an outside security breach would likely lead to an identity theft nightmare, should it ever happen. And if this weekend's code leak is any indication, Facebook doesn't seem to be operating at the security level you would expect from a site of that size.

[1]: http://facebooksecrets.blogspot.com/2007/08/facebook-home-page-code.html
generated by cgit v1.2.3-70-g09d2 (git 2.47.0) at 2024-11-09 02:42:08 +0000