Facebook Goes Open Source

Nina 08-12-2007

Not intentionally, alas: a story topping Digg from an anonymous one-hit-wonder-blog called FacebookSecrets (an increasingly common tactic for spreading data around) shows that a part of Facebook’s source code was exposed to some users this weekend. The blog reposted all the code, which must surely have ruined Zuckerberg’s weekend. A server misconfiguration, not a hack, is being blamed. Facebook has since confirmed the issue.

Now we just need the ConnectU code to be exposed and we can close that case.

This does, however, raise serious questions about how secure Facebook may be. A code leak is a major, major problem for the site - the only thing that would generate more fear would be a hack that gained access to user data.

And that’s the huge risk: Facebook promotes itself as a place to connect to your “real” self. In fact, they delete any profile that doesn’t represent a real person (I was forced to change my profile name from “Mashable” to my own, for instance), pretty much guaranteeing that 100% of the data stored there is correct. They also prevent people from signing up with names that sound fake. An exposure of user data, therefore, is the identity thief’s dream.

These risks increase as Facebook and other social networks open up: Facebook apps have yet to be abused, but there’s the potential to do so.

Sunisa

Talk about a security risk. I wonder how much was seen and saved. They's going to be a few people out atleast using this to their advatange.

Raven

This one is way too big. Myspace has some problems many becuase there make a different server for everything and has tons of iframes but none of that has ever compared to letting them seeing the source code. I give it 2 months before we see something from this happening.

Hsoolien

When being a programmer makes me laugh at others assumptions about coding in general...

The only security threat posed by people having seen Facebooks source code is if any security flaws existed in the leaked code (that would now be apparent and easier to exploit).
In fact assuming there are no security holes in Facebooks code (which while unlikely is still possible), you could have access to all the source code and it would not make one spit of difference since you have to a.) get your new code into the servers and b.) have it execute.

This is very likely not a big deal at all (unless the exposed code exposes security holes in teh code base that can be attacked from outside the servers)

Nina

Getting new code into the server is highly possibly, especially since you can enter infomation and many areas. Even with scripts such as vbulletin, joomla, and other codes its not that difficult to do. Also being able to use the infomation is also easily done once you know what to look for now. Knowing variable names and functions makes it that much easier to do. With all that myspace allws people to edit and enter, the infomation is easily gain, and as you proably know for aleast a year people wear exploiting the fact you could edit other people's profiles without even knowing their password or email account for that matter.

Hsoolien

Once again the laughter continues.

It is possible to get code onto a server through it's server side apps, if the Admins were a.) dumb enough to allow it and b.) they did not put some heavy password protection in place (of course you still have to start said code executing) By the way vBulletin etc allow for code to be added through the app interface. Security hole that has been exploited from time to time as the make better fixes for the code.

And you can know all the functions and variables in the code, and still not be able to exploit it in any way (as I said if the code was 100% secure)

For fucks sakes i have 100% access to Unreal code and there are things I cannot do, with full server side execution because it compromises security within the code. (that said there are several hacks I know of that would be 100% undetectable that I have not exploited so they don't enter free domain)

As stated above, blow out of proportion.

Nina

you funny. Like the myspace problem. A code was executed from a persons profile and infect the persons computer which altered their profile. It doesn't matter how bad or good the password is, you could alter a profile without it. This was present in both flash and quicktime. The site was open to this. so you A reason can't apply, and since passwords isn't needed you B reason is shot.

You don't know much about XSS attack. Which many scripts are still open including vbulletin and myspace and yes facebook.

Cpixel code was expose many times, if you know the variable, you can have anyone's password displayed in open text in the url. Also their voting system is from 1-10. Knowing the code someone is able to vote for someup with a rating of 99. That's why they had to reset their database a few weeks before becuase it got out.

Maybe becuase you data on the sites isn't worth stealing or having, but there could be data on these sites people rather not get out.

Lynn

I don't know much about this but doesn't think depends on how good they program the site? I mean if it wasn't a big matter then wouldn't know one care. I mean just the other day Sinny posted that you could read other people's mail on facebook. Now that what I call a major security problem.

Hsoolien

Nina, your reply just proved I'm right.

My point was a source leak is nothing to worry about if the code was properly coded. but we're dealing with applications where the code has security flaws in it. In which case a source code leak only accelerates the security violations.

If I was to code one of these sites, short of actual security flaws within the platform I chose, you could have access tot he source code and it would do shit for you.


Hell I've managed to program a new GUI for UT200x is bullet proof to other users expanding on it, and they get direct executable access to the code (thank god for private and protected members)

Edit: And it relies on linked lists, one of the most easily broken method of propagation in UScript

SiNXation

I love headed debates like this. And usually its only Nina and Hsoolien, who can argue with each other and it not come down to any name calling. Damn I have some wierd friends.

But both to the matter. I'm going to state this on a 3 point system, giving Nina 2 points giving Hsoolien 1 point. And I'll explain why.

1pt to Nina. Source code being leaked is always potentially dangerous. Please notice the word potentially. In no way does it mean it is dangerous it just has possibilities. In fact any infomation even cookie infomation can be use to potentially break a website. Trust me I know, I've done. Vbulletin is actually exploitable by a cookie.

1pt to Hsoolien. There are tons and tons of open source code that is very secure. Infact 95% of forums and scripts out there are open source and are still secure. Webmaster can always take better precaution just incase of script failures or security holes are present. A good webmaster will take all steps that they know to make sure the site it as secure as possible. I myself take all the precautions I can think of and still steadily look for more all the time to make sure. So yes this is still better avoidable by good webmaster.

last point to Nina. Depending on what source of the script is expose it can be use. Why? becuase on just about every site there's always a config file somwhere. If this file is leaked you can take over a whole site and seriously mess up someone hosting account. Again I've done before. Infact I could to this day still do it to cpixel. Similar to facebook they misconfigured the site for about 30mins and I downloaded and saved about 80% of the site no counting images.

If you don't know what was leaked you wont know if it can cause problems or not. And you know facebook is not honestly going to tell you what was leak and how bad it could be. So don't consider this a big deal since you wont know until its too late if it is. Just think of it like a seatbelt in your car. Don't make it a big deal but know something could happen so its good to be prepare. But that's advise for anything online.

Sunisa

You know when Sinny post you can expect it to be long and infomative. I with Lynn's thinking on this, being able to read people's messages is really unacceptable. But they did fix that unlike AOL who still has this exploit. Sinny brings up a good point that it really depends on what part of the code is exposed and since we wont know or even if we did understand it it would be no reason to really worry about this. People should know that big sites like myspace or facebook are more likely to be targeted anyway. Putting something very private on sites like that isn't that smart to begin with.

Hsoolien

A lot of it's a race to offer more customization, a race where things like stability and security are kind of left behind because they aren't sexy to your average user.

Raven

Any site that will process html input by a user is a security risk. It's a well known fact but atleast any smart webmaster and programmer. There are simply too many variable to take into consideration. Think how long myspace has been around and still working on the same problems only becuase they allow html on their site.

Hsoolien

That's why i would build my own parser, the issues lie, not in that HTML is allowed, but how it's implemented