Facebook Source Code Leaked
Nik Cubrilovic
257 comments »
We just received a tip that the source code for the Facebook main index page has been leaked and published on a blog called Facebook Secrets. There are at least two possible ways that the source code got out - the first is that a Facebook developer has sent it out, or the more likely option that a security hole or other method has been used on either one of the Facebook servers or in their source code repository to reveal the code. The blog that published the code only has a single post on it, so it was created exclusively to publish this code - meaning that whoever is behind this both isn’t taking credit for the hole and doesn’t want to be associated with it. While there is no certain way to verify if the code is actually from Facebook, by taking a quick look through the code and by double-checking some paths that have been referenced, we can say with some certainty that this seems to be both real and also a recent version of the main Facebook page.
There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited. Since Facebook is a closed source application, without access to the code security holes are usually found through a process of black-box testing, whereby an external party will probe the application in an attempt to work out how the application behaves and to try and find potential race conditions. In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.
The second implication with this leak is that the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine).
This leak is not good news for Facebook, as it raises the question of how secure a Facebook users private data really is. If the main source code for a site can be leaked, then it can be said that almost anything is possible. Facebook has become such a success and has such a high profile that it has become a magnet for attacks against its systems. Most large scale applications suffer a breach at some point or another, since the odds are always stacked in favor of attackers, but companies can respond in a number of ways and the hope here is that Facebook will handle this situation gracefully. I don’t doubt that Facebook will pursuit this case with a lot of energy to both find the cause of why the code has leaked as well as to find who was responsible. They will also need to take some very quick short term measures to mitigate the risk to users since you can bet that right this minute there are hundreds of potential attackers pouring through the leaked code and probing their systems. At a quick glance, I know that I can see some obvious things in the code that both reveal certain hidden aspects of the platform and give a potential attacker a good head start.
Update: Facebook have sent us an official response (and Brandee Barker from Facebook has left a comment below): “A small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.” It seems that the cause was apache and mod_php sending back un-interpreted source code as opposed to output, due to either a server misconfiguration or high load (this is a known issue). It is also apparent that other pages have been revealed, and that this problem has occured before, but only now has somebody actually posted the code online.
Update 2: I have posted 4 tips on my own blog on how to prevent your server from leaking your application source code
This is some crazy news…Bad news for Facebook. I’m sure this will be all over the place soon.
Thanks for the tip TechCrunch, great post Nik..especially the snippet below:
“It is for these reasons that it is often claimed that open source software is more security than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.”
Mike, there’s a typo at the end of the second paragraph:
“… open source software is more “security” than closed source software … “
Facebook just like my own website is now open source. Huzzah!
PS. Did you know that I invented the Internet?
Yes Al, I found out using THE Guuugl.
Yes Bush, we shall dominate facebook now
very scary if true and if it gives hackers access to personal info.
P.S. TC crew any chance you’ll consider stopping anonymous posts? Pretty please?
That is one scary piece of code indeed. Not that it really matters, but it’s interesting nonetheles.
Oh oh.. if source code were leaked then the private info might be next??
“There are only two possible ways that the source code got out”
Surely you’re aware of misconfigured Apache servers.
I am monitoring your internets.
Rather interesting.. the code itself isn’t written that well.
for one: $_SERVER['PHP_ROOT'].’/lib/feed/newsfeed.php’; is included twice…
oh well, you can’t argue with success.
Faithful reader is correct, it wasn’t a leak. One of Facebook’s servers was dumping the source of pages being accessed.
Between people looking down upon the applications, the source code leakage, the lawsuit, Facebook has not been having any luck lately. This type of mistake has irreversible consequences. I wouldn’t be surprised if Facebook revamps their source code.
While this is pretty bad news for Facebook, is this really going to have a major impact on users? Correct me if I’m wrong, but do people really have that high of an expectation of privacy for the information they put on sites like this?
http://blog.thetechnonaut.com
Very interesting!
Copy / Paste -Thanks
After reading the code myself, i am actually quite disappointed.
I wont get all nerdy and point things out, however, i was expecting
something clean, and slick. OO isn’t necessary but this is as close to
speggati code as it gets.
I don’t think it’s as big of a deal as we make it…I remember the problem with the “.” in the early versions of ASP, now that was bad
Interested to hear their response but I hope they discuss is publicly sooner rather than waiting to investigate the leak
@Rob. Based on my experience while architecting the Internet, I can tell you that people do not really care about privacy of personal information.
I would say that FB _does_ care about people mining their data.
Yick. That’s some ugly code. It doesn’t even follow any good PROCEDURAL development practices. It looks like it was written by decidedly average college freshmen
Get it while it lasts
Smarty Templates? Ouch. I wonder if they’ll recover from that.
… or how to get on the news.
Facebook PR department.
The odds are extremely heavily stacked against the companies that run websites. Exposures can be accomplished from so many different angles…
Anyone expecting OO out of PHP code is very unrealistic. Any non-trivial site written in PHP is asking for spaghetti code.
John, you can easily create great MVC OO sites with php5. What are you talking about?
The code looks so simple. That’s no really facebook source code. Some of codes don’t execute correctly. Facebook is done SQL
Not like this. It’s kiddie script. You can get source code from founder ConnectU.com. They would say ‘no’.
Lol John youre such a noob. People to say PHP isnt good for OOP should just quit programming forever. What are you some ASP.NET nerd?
PHP5 in OOP is an absolutely sick language. If you have a site that generates a lot of load, you use C extensions or even C / Java apps in combination with your PHP app to do the heavy lifting.
Only noobs cant code efficient PHP code. Buzz off.
Hi Nic-
I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.
Thanks to you and the TC readers for helping us out on this one.
Brandee Barker
Facebook
Wow, an extremely long post as to why revealing source code for a public, active website is bad. All of that could’ve been summed up in a few short sentences.
Looks like an official response above me.
That would have been my guess. Based on the following it doesn’t seem like a a hack or insider leaking anything:
It’s not a valuable find. I’d be more interested in any class they use more than a page like this. You don’t get much info out of these pages.
It’s like breaking into a home for a tissue. If you go through the effort, you take something to make it worth the risk.
If someone renamed the file index.phpbackup and left it live for a few minutes apache would probably render it as source. If it was put in a subdir and directory browsing was on it’d be easy to spot. Just a guess because I’ve seen it happen before.
How can a service that huge not work with an object oriented framework - a little yesterday - don’t you think?
Ouch. That’s not good. I guess they better get to work on changing the code around to avoid the bugs.
That’s not a big deal, Facebook is not Google, there’s no so much IP behind, code is not important, their asset is their social graph - which can be revealed only by a database dump hack!
@Brandy Baker
“The reprinting of this code violates several laws and we ask that people not distribute it further.”
Which law are you specifically talking about?
There is nothing unique or creative about the code itself to make it copyrightable. There is basically only several ways you can code something… since no one intentionally came to the site to grab the code there was no tort of trespass and computer fraud act, and since it was release accidentally, I can’t imagine you can claim it’s a trade secret
Caveat ( I am not a lawyer, so anyone reading this do not assume you have no liability by reprinting their code)
More than anything, I am just curious about which several law being violated here
smarty? i don’t see no stinkin’ smarty.
dude28, if you really want to have your site works fast, as they do, procedural is the best way to go. No need to waste all of that processing power to keep developers happy.
I’ve also heard that other pages other than the main index were leaked. Such as the profile template. Any truth to this anyone?
crazy & Brandee –
This is why we only want lawyers using legal speak, usually because they know what they’re talking about.
Bogus code released on purpose to thwart hackers/competition.
Any user who puts anything that would be detrimental to have “leaked” on that site is … well an idiot. And why should anyone care if the code is elegant … I don’t have to work with it, if the application works then great.
This is very interesting news. I heard a rumor that FB had rules from the top down dictating certain development practices. Although I haven’t yet perused the source, the news are a bit disconcerting. On the other hand of course, the fact that their index.php template is messy could be explained by poor original design and failure to refactor the code down the road up to the point that it may have gotten too complicated and not worth the effort. Looks like it will be worth the effort now.
@Squareoak, hehe, that could actually be funny and somewhat true. The first things that were going through my mind when I was reading Nic’s (very good) post, was that this was indeed a hoax.
brandee is the facebook pr chick (according to valleywag) so she probably knows what she’s talking about with the legal stuff. plus, the code really doesn’t show much at all, so i’m not really sure what the big deal is. this just seems like people making something out of nothing just because it’s facebook.
Maybe this is actually ConnectU’s source code and they are doing this out of spite. Is that too outlandish?
This isn’t the interesting code - the great stuff is in Facebook’s datamodel and distributed caching mechanism. The brief server configuration glitch that would reveal this is unfortunate but hardly the end of the world. Nothing to see here, move along…
Would be funny if ConnectU’s code was identical to this
@skaterhack I agree… I actually tried accessing some of the includes (mind you, I didn’t poke for more than 1 minute). No hope. They all return 404s. I am beginning to think this could indeed be a hoax.
I agree with Alex, and Skaterhack. What’s the best way to get your website instant hitrank, post and then quikly spread to the most popular blogs that you have the most popular web 2.0’s source code.