Facebook Leaks Its Own Code

Updated: Due to a server error, Facebook reveals part of its source code to users, who then post the code on a blog named Facebook Secrets.

Social networking site Facebook on Aug. 12 exposed part of its source code. The code was then posted onto a newly created blog named Facebook Secrets, and Facebook is now telling people not to use it.

Facebook, based in Palo Alto, Calif., issued a statement about the incident, stressing its minimal impact.

"A small fraction of the code that displays Facebook Web pages was exposed to a small number of users due to a single misconfigured Web server that was fixed immediately," a Facebook spokesperson said in an e-mail to eWEEK.

"It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further."

Some in the hacker community suggested that the problems dont stop here, though, given that Facebook runs a very old, very insecure Thttpd server—Version 1.0.

"While it is a cool and tiny server, I would not run it. Just ask Google," said a poster to the Hacker Webzine, who then proceeded to link to a Google search on "thttpd 1.0 exploit" that returned a host of articles regarding vulnerabilities on this server.


Click here to read about how Facebook has been opening up to developers.

An open-source Web server from ACME Laboratories, Thttpd is designed to be simple, lean and fast. The first "t" in thttpd stands for, variously, tiny, turbo or throttling. The server features bandwidth throttling, a feature that enables an administrator to limit the maximum bit rate at which certain types of files may be transferred.

"Thttpd is the first server I was able to exploit some six years back, so it brings back memories," said the Hacker Webzine poster.

"One of my favorite exploits all time is the Off by one buffer overflow it suffer(ed)s from, because it really shows how careless programmers are: set a max buffer and forget that a loop starts counting at 0, + 1 and it overflows. Anyway, that not the point now. If they are running a very early version they should upgrade," the post said.

A Facebook spokesperson declined to confirm whether a Thttpd server was in fact to blame for the code leak.

Editors Note: This story was amended to state that Facebook didnt post its own code onto the Facebook Secrets blog.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.