Facebook Leaks Its Own Code

By Lisa Vaas  |  Posted 2007-08-13 Print this article Print

Updated: Due to a server error, Facebook reveals part of its source code to users, who then post the code on a blog named Facebook Secrets.

Social networking site Facebook on Aug. 12 exposed part of its source code. The code was then posted onto a newly created blog named Facebook Secrets, and Facebook is now telling people not to use it. Facebook, based in Palo Alto, Calif., issued a statement about the incident, stressing its minimal impact. "A small fraction of the code that displays Facebook Web pages was exposed to a small number of users due to a single misconfigured Web server that was fixed immediately," a Facebook spokesperson said in an e-mail to eWEEK.
"It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further."
Some in the hacker community suggested that the problems dont stop here, though, given that Facebook runs a very old, very insecure Thttpd server—Version 1.0. "While it is a cool and tiny server, I would not run it. Just ask Google," said a poster to the Hacker Webzine, who then proceeded to link to a Google search on "thttpd 1.0 exploit" that returned a host of articles regarding vulnerabilities on this server. Click here to read about how Facebook has been opening up to developers. An open-source Web server from ACME Laboratories, Thttpd is designed to be simple, lean and fast. The first "t" in thttpd stands for, variously, tiny, turbo or throttling. The server features bandwidth throttling, a feature that enables an administrator to limit the maximum bit rate at which certain types of files may be transferred. "Thttpd is the first server I was able to exploit some six years back, so it brings back memories," said the Hacker Webzine poster. "One of my favorite exploits all time is the Off by one buffer overflow it suffer(ed)s from, because it really shows how careless programmers are: set a max buffer and forget that a loop starts counting at 0, + 1 and it overflows. Anyway, that not the point now. If they are running a very early version they should upgrade," the post said. A Facebook spokesperson declined to confirm whether a Thttpd server was in fact to blame for the code leak. Editors Note: This story was amended to state that Facebook didnt post its own code onto the Facebook Secrets blog. Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel