Elliott C. Back: Internet & Technology

Facebook Index.php Source Code Leaked!

Posted in Code, Computers & Technology, Facebook, Hacking by Elliott Back on August 11th, 2007.

A newly created blog http://facebooksecrets.blogspot.com has posted a single, devastating post, the PHP source code to Facebook’s home page. The front page currently looks like this, and lets users log in or register:

facebook-homepage.jpg

My first question is Where did the source code come from? Who leaked it? How? Techcrunch offers two theories, the first that a Facebook employee leaked the code, and the second that facebook’s source code repository was hacked. Neither of these make any sense; what really happened is that a Facebook third party developer on the F8 platform found an injection attack that he could use to retrieve an arbitrary file. Since Facebook is written in PHP, it was inevitable that any injection attack would lead to a source code compromise.

My theory has proved incorrect, as minutes after the article went to press, a Facebook employee left the following comment on Techcrunch:

I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.

Thanks to you and the TC readers for helping us out on this one.

Brandee Barker
Facebook

Interestingly, The Wrong Advice points out a blog entry which used to contain the source to profile.php and a commenter who claims to have gotten photo.php. Others have posted search and groups code online. Facebook isn’t just hacked, it’s leaking source code all the time.

The alleged source code contains some humorous comments, which I will list here:

// FIXME?: is it sub-optimal to call this both in requests_get_cache_data and here?
// Holy shit, is this the cleanest fucking frontend file you've ever seen?!
// make sure big tunas haven't moved around
// Merman's Admin profile always links to the Merman's home
// Friend's Feed Selector - Requires dev.php constant

I’ve got the feeling that Facebook, just like MySpace, is a web 2.0 site strung together with glue; glancing at the alleged code doesn’t make me feel great about their infrastructure. They have huge win32-api-esque functions like multiget_fresh_notstale_hashed_network_with_orientation (i made this up), a procedural, rather than object oriented structure, and no clean abstractions or MVC scheme. At least they’re using smarty for templating, though….

Update: They’ve added the code for Facebook’s s.php search feature. When will it stop!?

This entry was posted on Saturday, August 11th, 2007 at 11:45 pm and is tagged with . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.

6 Responses to “Facebook Index.php Source Code Leaked!”

  1. Rawr says:

    Apologies for replying to such an old post, but I felt like I must clear up a few things.

    It doesn’t appear they’re using Smarty as their template system, but rather a custom one.

    Sure, it’s not object oriented, but that’s fine. Forced indirection sometimes makes the abstraction clearer.

    I think the abstract looks pretty clean and does split up the logic in a way that could be called “MVC” by some developers, especially given how most PHP Frameworks aren’t true MVC.

    I can see that it would be quite easy to split their code up in to separate files for MVC. They just use one, self-contained file for a function and put different logic in sections.

    It’s quite obvious where the View would be, there’s a lot of preparations for the template system. Likewise, it appears all their models are in separate files (/lib).

  2. christof says:

    Grow up! – you are making such a big deal out of this, and blaming it all on PHP – it was a Webserver configuration problem and has nothing to do with the language PHP – why dont you rather give credit to a fantastic system written in php, a system that performs well and is extremely fast given the amount of requests per day – I know about a few other sites that was rewritten from Java or Asp to PHP because performance was key.

  3. Brian says:

    Facebook seems to be all over the press lately. Perhaps a publicity stunt? Nah. Do people really expect flawless websites these days? I mean if Microsoft, which has unlimited resources, get caught with their pants down from time to time, of course companies like Facebook are going to get burned. Once you get to a certain size, the hackers come a callin’.

  4. Mat Collins says:

    o.O Wahoo… It’s a good thing my password wasn’t in that file! lol.
    Nah, in all reality, this was a bad thing. Facebook has been under fire recently, and this is just going to put more fuel on it.

  5. Manny says:

    FacebookSOURCE.com has a lot of other scripts, hacks, and tricks for Facebook, as well as other links to Facebook’s Homepage script incase this one goes offline.

  6. [...] Virtual hat tip to Elliot C. Back [...]

Leave a Reply

Powered by WP Hashcash