Facebook's PHP leak SNAFU (and kuplamuovi)

No bubblewrap was harmed in the making of Tuesday's IT Blogwatch: in which Facebook suffers a self-inflicted source code leak. Not to mention, uhhh, the harming of bubblewrap...

I have heard Heather Havenstein:

The source code that powers the user interface for popular social networking site Facebook was inadvertently exposed over the weekend due to a misconfigured Web server. The source code ... was posted Saturday to a blog called Facebook Secrets. [more]

Nik Cubrilovic broke the story:

There are at least two possible ways that the source code got out - the first is that a Facebook developer has sent it out, or the more likely option that a security hole or other method has been used on either one of the Facebook servers or in their source code repository to reveal the code ... by taking a quick look through the code and by double-checking some paths that have been referenced, we can say with some certainty that this seems to be both real and also a recent version of the main Facebook page.

There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited ... In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure. [more]

Doug Caverly has good news and good news:

On the bright side, data belonging to Facebook’s many users appears to be completely safe and unaffected. Following that revelation, we should share more (relatively) good news - it was the company’s own mistake, not a hacker’s tinkering, that caused this disclosure.

...

This sort of occurrence is becoming something of a trend - in the past two weeks, information has leaked regarding Facebook’s revenue and its advertising rates. The social network has also gotten some unwanted attention over sexual predators, and lost a number of advertisers due to a mix-up involving the [British National Party, which is, “committed to stemming and reversing the tide of non-white immigration”].

The source code leak isn’t as potentially damaging as those last two stories, but it’s still not the best thing for Facebook’s reputation.. [more]

Will Knight is a bit worried:

I'm not about to cancel my account, but I do find it a bit worrying ... Having the source code is not the same as finding a vulnerability, however, so I don't think there's much cause for alarm right now. On the other hand, the story raises two important and worrying issues.

The first is that social networks place an awful lot of personal information in one location, raising the risk of identity theft - as several security experts have already warned. The second point, which is connected to the first, is that social networking services are becoming an ever more enticing target for computer hackers.

...

So while Facebook may be a safe place for your data right now, I think it is worth thinking carefully about just what sensitive information you keep there in future. [more]

Scott Gilbertson thinks he knows what went wrong:

Although Facebook hasn’t specified what exactly was wrong with the server, it seem reasonable to conclude that some sort of mod_php error caused apache to serve the code as an ordinary text file rather than processing it as PHP.

...

There are ways you prevent it from happening on your own site. The easiest and most effective way is to use the Apache module mod_security, which can detect and stop PHP source code from being sent at plain text. Regrettably for Facebook, the site apparently wasn’t using mod_security on the particular server that was misconfigured.

...

If this weekend’s code leak is any indication, Facebook doesn’t seem to be operating at the security level you would expect from a site of that size. [more]

Trae McNeely 'fesses up:

There are rumors about who leaked the Facebook code the other day. Well your answer is me. Actually, "leaked" isn't the correct term. I didn't have any access to their servers and I don't know any employees. Despite what you may think about my website I don't hack and I've never had intentions to ... the source code showed up on my browser not because someone leaked it to me or I took it. The code was the fault of Facebook.

...

Within several hours I received an email threatening legal action against me ... [to which] I responded: "This is hilarious ... Your legal threats don't intimidate me. All you'll do is harass my hosting company and use legal and technical language to get me to take it down ... Please note that the page was taken down at 2:10pm CST on August 12th of 2007. This is for your records and mine. If I hear anymore crap from you guys I'll sue for harassment." [more]

Trae who? Pete Cashmore has more:

[He's] a graduate of the University of Oklahoma. Based on the link to the forum thread he provided, we were able to confirm the story ... Although we were dubious of the story at first (it’s posted on a “make money” forum”), this is legit ... The forum thread was then pulled by McNeely in response to a takedown request from Facebook, but lives on in the Google cache.

...

The code was later reposted by FacebookSecrets ... But a quick check on Digg ... shows that [McNeely's] story was the first chronologically. In other words: McNeely was the source and FacebookSecrets was a copy.

The question is: is what he did illegal, as Facebook claims? Seeing as the code was served to his browser and there was no “hack” involved, it seems unlikely. McNeely isn’t completely new to leaking sensitive data, however: he also claims responsibility for the posting of the Nicolas Berg beheading video and Kobe Bryant’s accuser’s information. [more]

John Leyden has an interesting angle:

The leak comes at time when the founders of rival social networking site ConnectU are suing Facebook founder Mark Zuckerberg for allegedly stealing their code and business plans when they were all students at Harvard. We can expect ConnectU to examine the leaked code for any similarities with its own. [more]

Buffer overflow:

Around the Net Around Computerworld Previously in IT Blogwatch

And finally... Kuplamuovi!

Richi Jennings is an independent technology and marketing consultant, specializing in email, blogging, Linux, and computer security. A 20 year, cross-functional IT veteran, he is also an analyst at Ferris Research. Contact Richi at blogwatch@richi.co.uk.

Copyright © 2007 IDG Communications, Inc.

Shop Tech Products at Amazon