Facebook posts source code on site by mistake

Owing to a misconfigured server this past weekend, Facebook exposed its homepage code to what the company called “a handful of users.” The leaked code was promptly posted on a new blog, Facebook Secrets, for all of the internet to see. Facebook has not specified what exactly was wrong with the server, but analysts concluded that some sort of mod_php error caused apache to serve the code as an ordinary text file rather than processing it as PHP. Note that the code leak does not constitute a security breach and users of Facebook should probably not be concerned about their data. Truoble is, owing to the number of PHP includes and auxiliary file paths listed, hackers now have a much better idea of how Facebook works and where potential vulnerabilities may lie. What is surprising is that such an amateur programming mistake would occur at a site of the size and resources of Facebook.

Those who work with PHP would know that it is famous for just this kind of mishap — serving code as text — but programmers also know of ways to prevent it from happening on Web sites. The most straightforward way is to use the Apache module mod_security, which can detect and stop PHP source code from being sent at plain text.

Facebook’s mishap cannot but bolster the confidence of rival ConnectU, which is currently involved in a lawsuit with Facebook which alleges that the latter stole code from the former. If the code in dispute happened to be on Facebook’s front page, ConnectU’s case just got much stronger. ConnectU has not said anything on the issue.

Users who place a lot of personal data in their Facebook pages may want to think twice about continuing to do so: An outside security breach would lead to an identity theft on a large scale, and this past weekend’s code leak tells us anything, it is that Facebook’s security measures and practices leave much to be desired.