Feeds

Student reprimands Facebook for bad manners and exposed code

Rebuke comes amid new leak of purported Facebook code

New hybrid storage solutions

McNeely expected that would be the end of it until the code ended up surfacing on Facebook Secrets, a site hosted on Blogspot that appears to have been created following the code leakage. Despite the formidable firepower of Facebook's legal team, the code remains on the Google-owned site at the time of writing, more than 72 hours after it first went up.

What's more, a second entry was made to Facebook Secrets that purports to offer another sampling of Facebook code. Facebook didn't respond to our request for comment, so there was no way for us to confirm the claim is genuine. (The code wasn't a part of the posting McNeely made over the weekend, and he says he has no idea where it came from.)

But Robert Hansen, a security researcher specializing in Web 2.0 applications, has examined the latest disclosure and said it appears to be as advertised. For example, one section beginning with the line require_js('js/editregion.js'); clearly corresponds to this section of the Facebook site.

And that raises questions about security on the site. For one thing, if it proves to be actual Facebook source code, it suggests leaks are more common than company spinmeisters would have us believe. More importantly, the latest disclosure, in contrast to the first one, goes well beyond the mere reprinting of interface code, which is of little use to someone looking for security holes.

"It gives enough information for an attacker to know where they should or shouldn't be attacking," Hansen said of the latest code disclosure.

The company said yesterday that configuration errors led to the leak of a limited amount of code and assured users security was just fine. Nothing to see here. Move along.

But like Hansen, McNeely isn't so sure. The second thing the Oklahoma grad has derived from the episode is that the Facebook can leak like a sieve. He says this isn't the first time PHP code has spontaneously appeared on his browser while surfing Facebook, and that's made him think twice.

"The type of error they got because of some misconfigured server, that tells me they're not secure," he said. "I'm not a programmer, but I can read code. In my opinion facebook is vulnerable." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Leak of '5 MEELLLION Gmail passwords' creates security flap
You should be OK if you're not using ANCIENT password
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Enigmail PGP plugin forgets to encrypt mail sent as blind copies
User now 'waiting for the bad guys come and get me with their water-boards'
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.