Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Facebook Leaks Its Own Code



 By: Lisa Vaas
2007-08-13
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Updated: Due to a server error, Facebook reveals part of its source code to users, who then post the code on a blog named Facebook Secrets.

Social networking site Facebook on Aug. 12 exposed part of its source code. The code was then posted onto a newly created blog named Facebook Secrets, and Facebook is now telling people not to use it.

Facebook, based in Palo Alto, Calif., issued a statement about the incident, stressing its minimal impact.

"A small fraction of the code that displays Facebook Web pages was exposed to a small number of users due to a single misconfigured Web server that was fixed immediately," a Facebook spokesperson said in an e-mail to eWEEK.

"It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further."

Resource Library:
Some in the hacker community suggested that the problems dont stop here, though, given that Facebook runs a very old, very insecure Thttpd server—Version 1.0.

"While it is a cool and tiny server, I would not run it. Just ask Google," said a poster to the Hacker Webzine, who then proceeded to link to a Google search on "thttpd 1.0 exploit" that returned a host of articles regarding vulnerabilities on this server.

Click here to read about how Facebook has been opening up to developers.

An open-source Web server from ACME Laboratories, Thttpd is designed to be simple, lean and fast. The first "t" in thttpd stands for, variously, tiny, turbo or throttling. The server features bandwidth throttling, a feature that enables an administrator to limit the maximum bit rate at which certain types of files may be transferred.

"Thttpd is the first server I was able to exploit some six years back, so it brings back memories," said the Hacker Webzine poster.

"One of my favorite exploits all time is the Off by one buffer overflow it suffer(ed)s from, because it really shows how careless programmers are: set a max buffer and forget that a loop starts counting at 0, + 1 and it overflows. Anyway, that not the point now. If they are running a very early version they should upgrade," the post said.

A Facebook spokesperson declined to confirm whether a Thttpd server was in fact to blame for the code leak.

Editors Note: This story was amended to state that Facebook didnt post its own code onto the Facebook Secrets blog.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Facebook Leaks Its Own Code
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}v۸~zn˾mmEʑm9m򵔸ӻs IlS$/IVz%Ϝ}}ƭ/}В3qNl @P( ^ȹ5!>7)l}QͥwDZ{{^$?mf 2dd:u|h4=GR1Z>u3- ۀpg=,Ad-FF%SjL~Si6fZ3+3uB=Fg[ .pѱtbQmQ$ЁqG<afF\; Q!y mzM:m˗<AL|İ )/GOb[@a<B>vN|"BN3tQA KZH@!}F!N1BpH\fvj]uAs:Q]' +LMe{Zwmk:;ջv`Y"yƺƻKEHY7-7I09aNu{QVyHrj oAG:-djɠqX&aaB]cun9s@M4ة3Μ~QݘϚ#ղb_GsTDAE6R^,zK 47P}Hw@zaI$p<{߫.z1s;A >Щ}cF=QꠢI t":IJ=hyscиιvoa23fB/Jy7t$T4/f{H`\@9`88ʬEk>ԹG!{0fs;0ՑaǀTkZ%2Z}#%>M cRRK >I#r*B1,`@n& P 䎄Ћ R\ .<BIr h&,,ЂW-KKLAfsf(4{~4mbB$FNH!tP@W)v9& gƈI8*@BNT+V [?_7s]9U>1 $@Te2ff T_lP-xkJD%hT+1OMf٣M剧2 oϐ0Vq/S" 8zx<@DA.Xt> J+"$[ 4l թ6-44.&Xt-Wa?"!6w|ڧ.ns3R*r71T[OfZV,֪6DZT rQ*TU̠Lsn{1o)'@S(fgc>7_CPt*ɕ`s|\uj?edCe@3&c!av5,?6;?r9h3"©PiV(ܠ.ƽ+4Kv- "gSj6r@R#~lR@)"t$xLÚ8)ё,Hr- U z9@ tHXqHG&{ßE6(=S"vV;z0ͧ)R+d::JЯצ箇+á ,GjciM%fZ^@7 jV,+s=m򌠱7fcDH!S#2>Z q[k0(Lw*n1Ԟ$QS*n𳛳CĮP_*==@7_15SUӓU=4 aInjMĴz36"-_Ŧdo퀁ИY%7C:e۸q:&E16j` |󂢔c= TΩ,2rY gg\a-oS9e>c'Z\c!*X$t+5/w->s7кM{ls Cq33"nLt##A^וzEk5g}zMdC|fSj%~)Vi3>zJg P"H@*eo;U7iO;ԹB!?JyH3mrHUu{\ ew\]">?/$RQr+րkI-TTVE۪;,kJCDTȓkzȊ@G+ ސOkZDC~g$<@|)@TEMXr>&~ͳ!ӢBqiyB֢%37R8-ܝ`$@N|K!O]TEb2wq$zœ%hKg o@=_lXC5BTMnqkۗ217v ˽%j H@MYJeV.(zANIJV gI@=$g?am9`:J#U4qz27)۞kFMOs 'xG8?ws̡3I2|$UJRVJݞwlLu#u(L>)Uj!\\$Kr]W6_Tb zE#PX;HH(y?'l{H#t*{S7o^&^S@#+#I x]ʭ( ӄ;}"[Xa73 11U^\fJ-=h/!(0H_d`m٦DU]vvHCh.}MtO}ֻHg#\sbA%iNJ _hk-V7MklFhv~[Sx~+[ 5 LńBAjهA@R`OH5['#NHvRfp="B4X 1t<#a_RBI"Q6#=.#ķI͉π/aMa1:Vt"vWυR~<B<dxLԧ ǻB0ࠇg056Iw~HHD y>w8/{{$i!V) >$Eɪz:@7Gdj:BJ T5‹z-ŧ-[O|BBQDsJ1ޣx$ZfenjJlx4cƒL)%dJ@̓! =)!ʆI q^Oeq* ie ʒ ~q/i'ۡ ۓ_/G8 ( k|wsq^^ҽxsX<8RpHCà{>&AB|Hy#:*VJ\ZrdUO~DC. 6OY-<` y+sB^uofܥki9~"ѰvpL7؎- qYK+: CW .'{ClvgFТ*i{?SdŽ%ڔ{`ֳ|c@Ӝ)|s99hS<3m~ *`'6%jf9Eqx,3y\)]S|,Eu{v1CN{7 A皴/?ށ&_ < ItNu xU޻@uWfFY1Q}ͩr@x?{vf~%s Mu~oœO)+e{mҾ2CSq :a)`*98DH!HrSzUw7=o5\9sJe_g£ȄWN HFb;@Ɍ7Kҁ[W-3H-#-uoLbc?Ax9r.s\5"n'Z^(>W90J5=9$/@vmMDaf?ȿ LĴp|{21kQ]uvZS װO :&;x7Bf!?}la{ƙC3#@*yx\[s5&pRx66y)hTRrwg7 {6if;⫆̖~@z'fiOXW+O*? ÷zgV$g3o-(oǜx+5\SWe9[_ j{\nnA_kf^\3V,-hf?5,_gih4_q27t~x+F!Y9CobGh2i& x5UkV,c J {LɅ=z.2wHTX&qQ$dZ U -?KtI#U-?2+$A+HX\ YKQ!v|*}8 9Qzi79dyXg[  R~?MK1Fi< _KFk7Ӆ40fRc, ΥiP]=`)j1@0^z- <|GB #\"|\}$?Y)׶%KrE mj@\&z,Bts!YFhXROzRkIg+mLf|Boq mc}Gx}$Q#A}l Z`zYx3Rږ9J/PS93tc6ՅDŽҕZ)8 pL u֝h&+R--?,"L]{SX4)JXHWmTr 1A9XA`qb`IԄP > '{LoK/%Ӽ/T1)]}C`[\#1k9"cnG-1zZ'ŭ'KcW$_~cS &pV݁-d%܀JLw9ŠV,^-" a}$tD8ؽ߭DSU dRDS,m&l'b%^ ΄?QV-P?(ɦ םMhPt{ԓ; hsiSЕR4^SphG 8"aw~pp< LFڹȖE׸,j <rj!ӱkP۽]pD//pp̳*GpsHn-ޤ*؊!j=V+ξ?w ]7E.m`HUw\EIT ~%ygm:&ז_ hʽs,~N0*. ȅ+!DO T ֚}"؃<<:җe|^Ζ[R3oK'sM1l}Ms, -b=x[(ۘl rw$'ǝzJ- % ]_cTYi*d(Okh4ܽ-۳zѮc ?Sΰ^!- $y);ɯ 3/eDW~5Uܜݞ3333&'b^iKԞz9 - f ]j=oz^8ZrS 󫩰͓|[a!D6nmK[+SQQ 3o9Vl֘h !¼g-J5a,ئ׭mr}~3fX [~h_{&mP-)W^"J Gh_/#̘Ei\w& [χ5YB#P[9Qw>.6fQwpkdգ8hK[cX+x -i.7)]j(=fX/m LcJo&Bآ=V}x H/ W!"Qjr( ѰV섅.;UD #2\؞/ugK}tyRئ[ D%!P5_8yaTi驨i=Fc(YU۟ӺVm1ܞjA)~s}m@pk-?Wָ~m#å\'7zslG5? +j/5Bx2nr_Osa&Bo e! l8xw2dWhn cf8<77R!spʶAkoS :௲eva}6kF]q`Yesi%4,ҙ}GW},Z^I/Glp,Ωqfb~}2' ¬Q2 Ʊ4H^La!g53kx$H P@=\">8ZAOQ]襭gE|J }?I-~L󒗯Kyv)[ mQH|Pix4CZ#=%1%ȹ=#U}4.kkr*95VSJ->"G¿ I.'x ȋL,Tƛ#AkQ@{gD}jkɾ0X?`Bb8P`|k{wn/"$W7 e ~6[yTrJggHEڭ6-ݽ<H@jm3{^m/9==AmXYrRfYpiq\(Tcn5dow~z c&]wZz ,h@$}3?b)b~e.+sYl'vv=Uh%mF6qVdk*qP F[ RV$wߠf~z*ܟ'U^\ǭbAV7>2G\n|JaǷ t$rM!iƮ%jח|=_ؽe >p4*ejUtK֌ 2@s85ߟ}91%‚ 5"t|fGpD7O aX9g3bvv04x0|u#D l!j,ng昱Ki.#_;J|&ɿJSt0Ǧ&uVE$@4G4(lB6DcSJDn$|s/>,afԟڠ9 2zq"tU-g8i)4lDu23|kPk? :tYpVMT;ӟ{ɏ]mݜ(8&Z1 t!/HBzNszqcfFWX;SCdď'0 K1cwV@0_s] X\nz/qJle$K-ɕ@ KIɐ1; w=$ *G]FLjAs̴WWYuC'ݫAwI;>#pވ=jRvR@Lrs@AC؜~ 88@3Y ~Bߦ{H9]7zݜ=ʹ)оnJ>ӽLIwSs??nN?)ak]"" >"\@/RyB@)UJkC)C) Ro 9=ҡR!7~{B7PMJ7@7)$)ev pz%s^δS\yV K˳:ȳJSVڭ^ V`{J1gJ+~ W kw_W\afO[+^vfanTzIAJ;/6JQ^/Z%+$V MY[,Oмz'ϊ'aFW|Woya=nb2-XѦV{5_9=Uҍ&C"{aad>܃fcpR 1#ɥ,d5;H_=q lAptrmn/yW-Mĕ\wڝ{fm*63vf;w K췡\2F=s}>^vGk>kٓ.f=g~3fN,B8WEjnRh s)hj_ N+u7\*h w{qC4ЁI2|$UJR*TwR-W+w{5"M =$FU:)(r!/krg R˥*D`Q:Cdx|D!*emث,81C=b{è[FWWp E!Хok1 +ͫYLIU7/ {_C܁>K>@e^̶+j>b)?"sohxOX.~&]\ʠbCK؊:QOD-͟ ']']FL=,N> 3~M\Ƕ-HGsPsaQr_!-3|:S> ՉGD|&߲*tO=% ,^bٴR]0Zzv˵d <@T b)ubrޅ2]s$G뽳DfI܂L+q{̲T{aw:. ]C/~e{Fw) ZNY nܸ|U#.1606y8{ >^ ž[D{8Vr f$Ǧ2x[06:)+xlQbmrwZf$JB]HĴz&H)gxt1&Nϖ깶=[;5 5u7L_`/T#lSǚ1;vtAU<,ŃBc|(pމi`gD/y 9>;ow_x&<Ä YRem^#%xO~{1_B$/3Vm!#0,ϧ% AaHL*LĞP_ =6;ߞbs4D֢ca`[4&6Ur+&F瘾H(aGvz+F2jRgj[}Wosakeo "~Rc')G1^Dr-3n=GDπnuUDjβْ;j]׋aRVr. =n`nukXv{/ă_| PrgH2GD!᳠c)"3.(2m- e't}7{ /d-+2dŏv--HiY_Oׁ&O:`ɖX)ulln{Rab׈Q]eD$u@g ;؅Q ^ ?,ڍ K4Uظ C1L1P8vRKA+0 Se`[a K2Cڰ2a(yc<9Z@n% {ִ%^}HPVׁݞV Xo} 8O.h|ḿ Xu#(߄ђPF.r 9D+7ag,LJ B ɮx(ذo3@WD0;"Ysf"sE䕲&(Xp\'A6ΙɆz! : "9DU ]<#Vs/zqGׂ}Fa|dt-+Fz[Y3JbA4\in2;6Ei#~@ }H ozЩ5`y+@0W 1S[cp#1UBȟc4o@ 1?c}]nFQڦa#"îUTMmveѩOߵSqݼD]Y>vQ< + vf$6Ѿs,atX oV|޸+no3eO~N϶0NmkLȏ,,H[뙗Zg']Y.hj=E" ء~9#j #fxY [Rj`n~3 f+:d5hǵ"Sۄ!wpbaf=3C# {׀ 4 &@k%J @ oM!)F_O0JP)PPʙ@ÝqM idXf܃"s7 f ?’Y/~t\I3b4.t~96Y *kKTvȄ=G36cq kЇV_E'Q!/4Iѯ\j0AL}Ԭa?`~0GCߙtf*ތ}ÅypAT|e9 *})~:qƙUyIE/h>fQ]TКTMv2o ހ@Tzl >D YЈFqd,8'LA{d+pE"~7H |l&ՄuDڲcd a=GDo֚F^Y-_).XOo)GhB lbŖP n&?H6!ގOYf=tYX{C`T-_RgiJj&%<্%quwSkܥX? =Mx,sL R:/xfO-L7zCQe\Vh.Nrx1P'n?cl4^&'^H *7|媍i1RPdcxoz:!dPٶNLXu{d?PO 1aDC>5+4uV*z "n! T3pe5+DZiShXss # tbͬdMWfKX2MPY1+2zZ4 |"j BIu4d |>8]EՇqqQ~Q[cXi*n9o:ݷGkOz룄#Lx>ud4FhEi' A}]OOot3e.7c+A*]%p JEƢb1)(KG!֒zT+b܂Bb{mA\Gbz-Q7 e Zޘ)ܦ]Xb4Y7