Facebook PHP Source Code Leaked: Whoops

Over this past weekend the PHP source code for social networking site Facebook was inadvertently leaked onto the Internet. The leak was due to a misconfigured server that delivered the PHP data as text rather than executing the file. Shortly after the code was displayed at Facebook the website Facebook Secrets had the code on their site for the entire world to see. A representative for Facebook said that no user data was compromised.

This is little solace to the millions of users, most of which wouldn’t know PHP code if it rode up on a Segway and lit their hair on fire. The SNAFU was a pretty easy mistake to make if a programmer wasn’t paying attention. Honestly, you never hear of things like this because sites that run into these problems are normally homebrew stuff where people are learning PHP. I ran into it briefly while putting together a local PHP site to start learning the language – in the interest of disclosure, shortly thereafter I gave up on coding. And from the code it does appear no user data is at risk, but a security breach can’t be denied.

Nik Cubrilovic at TechCrunch said in his blog that the leaked code could allow hackers a mighty fine starting point for figuring out how Facebook works, thus leading to bugs and security holes being uncovered. The code is part of the user interface, and not the actual structure of Facebook. Still Mr. Cubrilovic’s warning of potential extrapolation of the inner workings of Facebook using the UI PHP code still holds a bit of water. At the very least users of any website need to know how to secure their own data instead of relying on a magical server room to remain secure.