kerimsatirli.com

Why I prefer LinkedIn over Facebook

posted in Media on August 12th, 2007

While reading today’s news feeds, I came across this very interesting item on TechCrunch:

We just received a tip that the source code for the Facebook main index page has been leaked and published on a blog called Facebook Secrets.

While I am no PHP guru, the code looks legit, as far as I can tell and that really makes me wonder: If someone can get to the most treasured part of a web application, its sourcecode, how easy would it be for an attacker to grab all my, non public data from my profile? How easy would it be for people that should not have access to my data, to actually create a profile on me and spam me even more?

Everyone always hypes how great Facebook and the Facebook API is and while it is not yet clear if the API contributed to the breach or not, it could still have been a contributing factor.

Facebook then gave an official statement, trying to blame a misconfiguration stating that it was a misconfiguration:

Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way.

Techcrunch’ Nik Cubrilovic then stated that:

It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load

High load? One would expect that, with a site like Facebook, the developers / company behind the whole application would take precautions so that there are no leaks like this.

Either way, this kind of breach is probably next to impossible with LinkedIn. Reason for that is, if you ask me, the fact that they do not give everyone access to their servers / services (by means of a, supposedly badly coded API) and even if they would, I am more than certain that LinkedIn would have appropriate resources so that no server could experience that kind of high load that triggers it to reveal sourcecode.

Virtual hat tip to Elliot C. Back

[UPDATE]

Blake Ross kindly pointed out that the way this post was written suggested that part of TechCrunch’s statement was actually the official Facebook statement. It is not and I stand, humbly corrected.

Misquoting aside, I am still not happy about the fact that Facebook suffers this kind of problem right amidst their legal troubles and it does make one wonder if this was a deliberate attempt or really, just a misconfiguration.



7 Responses to 'Why I prefer LinkedIn over Facebook'

Subscribe to comments with RSS

  1. Blake Ross said, on August 12th, 2007 at 11:45 am

    Despite your implication, the quote you provide was not Facebook’s statement. The statement was:

    “Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.”

    This error was not a result of high load and was not related to the platform API; it was, as the statement says, an error in server configuration that was quickly remedied.

  2. Kerim Satirli said, on August 12th, 2007 at 12:05 pm

    Blake,

    the statement of this stemming from a high server load is based on information I got from the TC post.

    The reason I said that this could be related to the API is that many people suggested that the quality of the code was not the way it should be for a web application of this size.

    It would make sense that code that does not scale properly could cause a high load and thereby trigger mod_php to leak uninterpreted code.

    Still, human or not, a mis-configured apache should not be able to cause this kind of leak. Many questions are still unanswered and I hope that there will be some form of (additional) statement.

  3. Blake Ross said, on August 12th, 2007 at 12:09 pm

    Kerim,

    I know where your quote came from, but your context is deceptive:

    “Facebook then gave an official statement, trying to blame a misconfiguration:

    I’m not sure how you can draw conclusions about the quality of the Facebook source from one or two front-end files that contain little actual code and date back to the very beginning of the site.

    Blake

  4. Kerim Satirli said, on August 12th, 2007 at 12:15 pm

    I base my conclusions on comments I read that stated that the code lacked many of the important qualities that one would expect to find.

    The “trying to blame a misconfiguration” comes from older, similar situations where some kind of misconfiguration was blamed at first and then it became evident that someone had managed to gain access to a service by other means.

  5. Blake Ross said, on August 12th, 2007 at 12:18 pm

    I see you updated your post, but I don’t think I’m communicating well what’s misleading: you write that “Facebook then gave an official statement, stating that it was a misconfiguration:” followed by a quote that is not from Facebook. The set-up to the quote implies that Facebook provided it, which is not the case.

  6. Kerim Satirli said, on August 12th, 2007 at 12:23 pm

    I updated it indeed and forgot to put that in the last comment.

    Good pointer though; it does indeed make it look like as if the quote came from FB(s official statement) rather than from TC’s post.

    Time to rewrite.

  7. Marc Köhlbrugge said, on August 12th, 2007 at 1:49 pm

    The same happened to Topstat a long time ago. I was able to see all their source files including a file which contained a database username and password.

    It’s really easy to fix, just put your sensitive code outside your web-accessible directory. This a rookie’s mistake and I’m surprised Facebook made it.