While reading today’s news feeds, I came across this very interesting item on TechCrunch:
We just received a tip that the source code for the Facebook main index page has been leaked and published on a blog called Facebook Secrets.
While I am no PHP guru, the code looks legit, as far as I can tell and that really makes me wonder: If someone can get to the most treasured part of a web application, its sourcecode, how easy would it be for an attacker to grab all my, non public data from my profile? How easy would it be for people that should not have access to my data, to actually create a profile on me and spam me even more?
Everyone always hypes how great Facebook and the Facebook API is and while it is not yet clear if the API contributed to the breach or not, it could still have been a contributing factor.
Facebook then gave an official statement,
trying to blame a misconfiguration :
Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way.
Techcrunch’ Nik Cubrilovic then stated that:
It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load
High load? One would expect that, with a site like Facebook, the developers / company behind the whole application would take precautions so that there are no leaks like this.
Either way, this kind of breach is probably next to impossible with LinkedIn. Reason for that is, if you ask me, the fact that they do not give everyone access to their servers / services (by means of a, supposedly badly coded API) and even if they would, I am more than certain that LinkedIn would have appropriate resources so that no server could experience that kind of high load that triggers it to reveal sourcecode.
Virtual hat tip to Elliot C. Back
Misquoting aside, I am still not happy about the fact that Facebook suffers this kind of problem right amidst their legal troubles and it does make one wonder if this was a deliberate attempt or really, just a misconfiguration.