Facebook source code leaked to Internet
Misconfigured Web server exposes code for popular site's user interface
The source code, which was posted Saturday to a blog called Facebook Secrets, was still posted Monday on the blog.
A spokeswoman for Facebook said in a statement e-mailed to Computerworld that "a small fraction of the code that displays Facebook Web pages was exposed to a small number of users" because of a misconfigured Web server that was fixed "immediately."
The incident was not a security breach "and did not compromise user data in any way," the spokeswoman said. "Because the code that was released only powers the Facebook [user interface], it offers no useful insight into the inner workings of Facebook," she added.
However, Pete Lindstrom, a senior security analyst at Burton Group, said that anytime source code is accidentally revealed, "there is potential for an increase in risk." He added that when a company dismisses the security implications of such an incident, there likely really are security issues.
"There are enough folks out there trolling the Web sites and pull that code who will be perfectly happy to try to identify vulnerable areas that could be exploited," Lindstrom said. "If you're release source code to the wild, you're going to have some level of increased risk associated with it. I can't think of a case where you wouldn't."
Nik Cubrilovic, a developer and contributor to TechCrunch, which originally reported the source code leak, blogged that the code could be used by outsiders to better understand how the Facebook application works. With that knowledge, Cubrilovic said, those outsiders can find additional security holes or bugs.
"From just this single page of source code, a lot can be said and extrapolated about the rest of the Facebook application and platform," he wrote. "At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.
"[Facebook] will also need to take some very quick short-term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems," he added.
Read more about Security in Computerworld's Security Topic Center.
- EndPoint Interactive eGuide In this eGuide, Network World, Computerworld, and CIO examine two endpoint trends - BYOD and collaboration - and offer tips and advice on...
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!