Search:  

 
theme to black backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Amateur Programming Error Exposes Facebook Code
Search Topic:
Uniqs:
234		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Analysis of an Ecard Exploit Page »
« UN website targeted by hackers  
AuthorAll Replies


Sindows 7

join:2006-09-13
Hope, BC

 Amateur Programming Error Exposes Facebook Code

»blog.wired.com/monkeybites/2007/···ram.html

Owing to a misconfigured server, Facebook exposed its homepage code to what the company called “a handful of users” over the weekend. The leaked code was promptly posted on a new blog, Facebook Secrets, for all of the internet to see.

Although Facebook hasn’t specified what exactly was wrong with the server, it seem reasonable to conclude that some sort of mod_php error caused apache to serve the code as an ordinary text file rather than processing it as PHP.

The code leak does not constitute a security breach and there’s probably no immediate reason to be concerned about your data. However, given the number of PHP includes and auxiliary file paths listed, hackers now have a much better idea of how Facebook works and where potential vulnerabilities may lie. And it’s hardly comforting that such an amateur programming mistake is happening to a site the size Facebook.

PHP is notorious for just this sort of thing — serving code as text — but there are ways you prevent it from happening on your own site. The easiest and most effective way is to use the Apache module mod_security, which can detect and stop PHP source code from being sent at plain text.

Regrettably for Facebook, the site apparently wasn’t using mod_security on the particular server that was misconfigured.

One group that should be quite happy with the leak is ConnectU, the company currently embroiled in a lawsuit with Facebook which alleges that the latter stole code from the former. If the alleged code happened to be on Facebook’s front page, ConnectU’s case just got a whole lot stronger, though ConnectU hasn’t said anything to that effect.

Given the amount of personal data that many people have dumped into Facebook, an outside security breach would likely lead to an identity theft nightmare, should it ever happen. And if this weekend’s code leak is any indication, Facebook doesn’t seem to be operating at the security level you would expect from a site of that size
to forum · permalink · · 2007-08-13 17:04:22 · Reply to this
Forums » Up and Running » Security » SecurityAnalysis of an Ecard Exploit Page »
« UN website targeted by hackers  

Wednesday, 11-Nov 00:14:18 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [125] Moto Sold About 100,000 Droids
· [95] Verizon Keeps Swinging At AT&T
· [86] VoIP Over 3G Still Not Working For iPhone
· [67] Government Will Release Some Telco Wiretap Lobbying Documents
· [62] Verizon's Hanging Up On Rural America
· [49] Verizon's Higher ETFs Annoy Senator
· [34] Bill Would Force ISPs To Block Financial Scams
· [32] Sprint Announces Job Cuts
· [24] Mediacom Hints At 50, 100 Mbps Speeds
· [24] Google Offers Free Holiday Airport Wi-Fi
Most people now reading
· Windows 7 boot manager editing questions [Microsoft Help]
· RG Firmware update to VDSL2 this morning [AT&T U-verse]
· [Rant] windows 7 is the most retarded os ever and its broke to [Rants, Raves, and Praise]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Slow speed lately? [TekSavvy]
· Google Has Acquired Gizmo5 [VOIP Tech Chat]
· [ PVP] 3.2 DK PvP D/W Spec... [World of Warcraft]
· Massive Slowdowns? [cover,1584]