A newly created blog facebooksecrets.blogspot.com has posted a single, devastating post, the PHP source code to Facebook’s home page. The front page currently looks like this, and lets users log in or register:
My first question is Where did the source code come from? Who leaked it? How? Techcrunch offers two theories, the first that a Facebook employee leaked the code, and the second that facebook’s source code repository was hacked. Neither of these make any sense; what really happened is that a Facebook third party developer on the F8 platform found an injection attack that he could use to retrieve an arbitrary file. Since Facebook is written in PHP, it was inevitable that any injection attack would lead to a source code compromise.
My theory has proved incorrect, as minutes after the article went to press, a Facebook employee left the following comment on Techcrunch:
I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.
Thanks to you and the TC readers for helping us out on this one.
Interestingly, The Wrong Advice points out a blog entry which used to contain the source to profile.php and a commenter who claims to have gotten photo.php. Others have posted search and groups code online. Facebook isn’t just hacked, it’s leaking source code all the time.
The alleged source code contains some humorous comments, which I will list here:
// FIXME?: is it sub-optimal to call this both in requests_get_cache_data and here? // Holy shit, is this the cleanest fucking frontend file you've ever seen?! // make sure big tunas haven't moved around // Merman's Admin profile always links to the Merman's home // Friend's Feed Selector - Requires dev.php constant
I’ve got the feeling that Facebook, just like MySpace, is a web 2.0 site strung together with glue; glancing at the alleged code doesn’t make me feel great about their infrastructure. They have huge win32-api-esque functions like multiget_fresh_notstale_hashed_network_with_orientation (i made this up), a procedural, rather than object oriented structure, and no clean abstractions or MVC scheme. At least they’re using smarty for templating, though….
Update: They’ve added the code for Facebook’s s.php search feature. When will it stop!?
|This entry was posted on Saturday, August 11th, 2007 at 11:45 pm and is tagged with . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback.|