The leak of a few hundred lines of Facebook’s source code over the weekend caused a bit of a tempest as bloggers questioned whether the breach had compromised security at the popular social networking site. But beyond some red faces at Facebook HQ, the accidental disclosure – apparently the result of a mis-configured Apache server – is unlikely to do lasting harm.
This morning I spoke to Dave Marcus of McAfee Avert Labs, a web security outfit. Here’s what he had to say about the debacle:
If you’re going to have some of your pages exposed though a server error, this is probably the one you’d want. There doesn’t seem to be any user data. This would be step one of an attack, information gathering. There’s good intel to be gained here about Facebook and the infrastructure it’s running on. But this doesn’t give me anything I want if I’m looking to root the server or make a duplicate application.
As concerns about a dire security breach die down, tech-savvy bloggers have begun poking fun at some of the more colourful comments left by Facebook’s developers in between their bits of source code. Well-commented computer code is rare and to be commended, but in Facebook’s case, its ample annotation includes gems such as "an error can also be here because the
profile photo upload code is crazy " and "We special case (sic) the network not recognized error
here, because affil_retval_msg is retarded."
One commenter on Techcrunch said the annotated source code "looks like it was written by decidedly average college freshmen." Touche.