Facebook source code leaked to Internet
Misconfigured Web server exposes code for popular site's user interface
The source code, which was posted Saturday to a blog called Facebook Secrets, was still posted Monday on the blog.
A spokeswoman for Facebook said in a statement e-mailed to Computerworld that "a small fraction of the code that displays Facebook Web pages was exposed to a small number of users" because of a misconfigured Web server that was fixed "immediately."
The incident was not a security breach "and did not compromise user data in any way," the spokeswoman said. "Because the code that was released only powers the Facebook [user interface], it offers no useful insight into the inner workings of Facebook," she added.
However, Pete Lindstrom, a senior security analyst at Burton Group, said that anytime source code is accidentally revealed, "there is potential for an increase in risk." He added that when a company dismisses the security implications of such an incident, there likely really are security issues.
"There are enough folks out there trolling the Web sites and pull that code who will be perfectly happy to try to identify vulnerable areas that could be exploited," Lindstrom said. "If you're release source code to the wild, you're going to have some level of increased risk associated with it. I can't think of a case where you wouldn't."
Nik Cubrilovic, a developer and contributor to TechCrunch, which originally reported the source code leak, blogged that the code could be used by outsiders to better understand how the Facebook application works. With that knowledge, Cubrilovic said, those outsiders can find additional security holes or bugs.
"From just this single page of source code, a lot can be said and extrapolated about the rest of the Facebook application and platform," he wrote. "At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.
"[Facebook] will also need to take some very quick short-term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems," he added.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts