Computerworld -
The source code that powers the user interface for popular social networking site Facebook was inadvertently exposed over the weekend due to a misconfigured Web server.
The source code, which was posted Saturday to a blog called Facebook Secrets, was still posted Monday on the blog.
A spokeswoman for Facebook said in a statement e-mailed to Computerworld that "a small fraction of the code that displays Facebook Web pages was exposed to a small number of users" because of a misconfigured Web server that was fixed "immediately."
The incident was not a security breach "and did not compromise user data in any way," the spokeswoman said. "Because the code that was released only powers the Facebook [user interface], it offers no useful insight into the inner workings of Facebook," she added.
However, Pete Lindstrom, a senior security analyst at Burton Group, said that anytime source code is accidentally revealed, "there is potential for an increase in risk." He added that when a company dismisses the security implications of such an incident, there likely really are security issues.
"There are enough folks out there trolling the Web sites and pull that code who will be perfectly happy to try to identify vulnerable areas that could be exploited," Lindstrom said. "If you're release source code to the wild, you're going to have some level of increased risk associated with it. I can't think of a case where you wouldn't."
Nik Cubrilovic, a developer and contributor to TechCrunch, which originally reported the source code leak, blogged that the code could be used by outsiders to better understand how the Facebook application works. With that knowledge, Cubrilovic said, those outsiders can find additional security holes or bugs.
"From just this single page of source code, a lot can be said and extrapolated about the rest of the Facebook application and platform," he wrote. "At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.
"[Facebook] will also need to take some very quick short-term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems," he added.
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2013 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
