Facebook denies code leak threatens users

Facebook insists its users’ personal data was not put at risk by a source code leak that exposed the social-networking site at the weekend.


Facebook insists its users' personal data was not put at risk by a source code leak that exposed the social-networking site at the weekend.

The source code, which was posted on Saturday to a blog called Facebook Secrets, was still available on Tuesday morning on the blog.

A spokeswoman for Facebook said in a statement emailed to Computerworld that "a small fraction of the code that displays Facebook web pages was exposed to a small number of users" because of a misconfigured web server that was fixed "immediately".

The incident was not a security breach "and did not compromise user data in any way," the spokeswoman said. "Because the code that was released only powers the Facebook [user interface], it offers no useful insight into the inner workings of Facebook," she added.

However, Pete Lindstrom, a senior security analyst at Burton Group, said that anytime source code is accidentally revealed, "there is potential for an increase in risk". He added that when a company dismisses the security implications of such an incident, there likely really are security issues.

"There are enough folks out there trolling the websites and pulling that code who will be perfectly happy to try to identify vulnerable areas that could be exploited," Lindstrom said. "If you're release source code to the wild, you're going to have some level of increased risk associated with it. I can't think of a case where you wouldn't."

Nik Cubrilovic, a developer and contributor to TechCrunch, which originally reported the source code leak, blogged that the code could be used by outsiders to better understand how the Facebook application works. With that knowledge, Cubrilovic said, those outsiders can find additional security holes or bugs.

"From just this single page of source code, a lot can be said and extrapolated about the rest of the Facebook application and platform," he wrote. "At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.

"[Facebook] will also need to take some very quick short-term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems," he added.

"Recommended For You"

Credentials stored in Ashley Madison's source code might have helped attackers Symantec says stop using pcAnywhere after Anonymous threats