Published June 25, 2008
| London Times
Facebook users on Monday were left contemplating the security of private details stored on the social-networking site after part of its source code was leaked onto the Internet.
The site on Monday acknowledged that a section of its code had been copied and published on a blog, but stressed that none of the personal details of its 52 million users had been compromised.
Over the weekend, a blog called Facebook Secrets published details of part of Facebook's source code, the set of commands which determine the way the site appears when it is viewed by users.
Facebook said that a fraction of its code had been "exposed to a small number of users as a result of a single, misconfigured Web server" but that the problem was "fixed immediately."
"It was not a security breach and did not compromise user data in any way," the company said in a statement released to TechCrunch, the news site which first reported the story.
Security experts said that there was relatively little that could be learnt from the leaked code, which appeared to give details of the structure of the home page, but that Facebook's reputation as a secure site would be called into question.
"With the amount of personal information that's on there, the security should be tip-top," Lloyd Brough, a consultant with the British IT security firm Pentura, said. "This kind of thing just shouldn't be happening."
The mistake was likely to have happened during maintenance of the site, when a command that would usually cause the page to appear when loaded up did not execute, Brough said.
"If that is what did occur, they shouldn't be doing it that way. They should be configuring another server and then switching over," he said.
Nik Cubrilovic, who posted the original item on TechCrunch, commented there that, "This leak is not good news for Facebook, as it raises the question of how secure a Facebook user's private data really is."
The code that was leaked referred to the "front end" of Facebook's Web site and detailed several of the modules used by the home page in a language known as PHP script.
Ian Moulster, a former programmer who is now a product manager at Microsoft, said, "Gaining access to the way a Web site's user interface works might enable a hacker to see a security gap that in turn may assist in inflicting an attack in the future."
Many bloggers expressed excitement at being able to witness the workings of Facebook, which has quickly become one of the most trafficked sites in the world.
One noted that this "roughly as exciting as someone leaking the prologue to the Harry Potter novel."
Others, however, were dismissive: "Source code secrecy is over-rated, part of the myth that programming is something mystical and irreproducible," wrote "Carlfish" on the Valleywag Web site.
One report suggested that the code may have been leaked to assist in an ongoing court case brought against Facebook by ConnectU, a rival site whose owners claim Facebook stole their idea and code three years ago — a claim Facebook denies.
This suggestion was dismissed by many commentators, who said that after three years of development the code would have changed beyond recognition.
It is the second time that Facebook — whose users spend an average of just over three hours per month on the site, according to comScore Media Metrix— has had its security procedures questioned.
In June, it was forced update its privacy settings after it was revealed that some users had unwittingly been exposing personal details, such as sexual preference and religious beliefs, even though their profiles were set to keep those details private.