Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » Amateur Programming Error Exposes Facebook Code
Search Topic:
Uniqs:
235		 Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
Analysis of an Ecard Exploit Page »
« UN website targeted by hackers  
AuthorAll Replies


Sindows 7

join:2006-09-13
Hope, BC

 Amateur Programming Error Exposes Facebook Code

»blog.wired.com/monkeybites/2007/···ram.html

Owing to a misconfigured server, Facebook exposed its homepage code to what the company called “a handful of users” over the weekend. The leaked code was promptly posted on a new blog, Facebook Secrets, for all of the internet to see.

Although Facebook hasn’t specified what exactly was wrong with the server, it seem reasonable to conclude that some sort of mod_php error caused apache to serve the code as an ordinary text file rather than processing it as PHP.

The code leak does not constitute a security breach and there’s probably no immediate reason to be concerned about your data. However, given the number of PHP includes and auxiliary file paths listed, hackers now have a much better idea of how Facebook works and where potential vulnerabilities may lie. And it’s hardly comforting that such an amateur programming mistake is happening to a site the size Facebook.

PHP is notorious for just this sort of thing — serving code as text — but there are ways you prevent it from happening on your own site. The easiest and most effective way is to use the Apache module mod_security, which can detect and stop PHP source code from being sent at plain text.

Regrettably for Facebook, the site apparently wasn’t using mod_security on the particular server that was misconfigured.

One group that should be quite happy with the leak is ConnectU, the company currently embroiled in a lawsuit with Facebook which alleges that the latter stole code from the former. If the alleged code happened to be on Facebook’s front page, ConnectU’s case just got a whole lot stronger, though ConnectU hasn’t said anything to that effect.

Given the amount of personal data that many people have dumped into Facebook, an outside security breach would likely lead to an identity theft nightmare, should it ever happen. And if this weekend’s code leak is any indication, Facebook doesn’t seem to be operating at the security level you would expect from a site of that size
to forum · permalink · · 2007-08-13 17:04:22 · Reply to this
Forums » Up and Running » Security » SecurityAnalysis of an Ecard Exploit Page »
« UN website targeted by hackers  

Thursday, 10-Dec 20:06:57 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [200] Sprint Sued For Distracted Driving Death
· [135] AT&T Launching New 24 Mbps U-Verse Tier
· [87] AT&T Hints At Usage-Based iPhone Data Pricing
· [82] 3G Network Test Says AT&T Is Tops
· [72] Mediacom Unveils 105 Mbps Pricing
· [72] WPA Cracker: Test WPA-PSK Networks In 20 Minutes
· [66] Sprint Poised For A Turnaround?
· [54] Average American Consumes 34 Gigabytes Daily
· [51] The Future Of Wi-Fi Is Bright
· [50] Sprint, T-Mobile Merger Rumor Lives
Most people now reading
· New Mediacom Email [Mediacom]
· IMG 1.7 (IMG Updates and Discussion) [Verizon FIOS TV]
· [WIN7] Well, I was dumb, but do I have recourse? [Microsoft Help]
· malware has been found hidden inside an Ubuntu screensaver [Security]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]
· [How to] Install Asterisk on an Asus WL-520GU router [VOIP Tech Chat]
· Windows 7 boot manager editing questions [Microsoft Help]
· It's happening again [AT&T Southwest]
· What is the spell hit cap for a lvl 80 full arcane spec mage [World of Warcraft]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]