Facebook Code Leaked on Site

Aug. 14, 2007 — -- Facebook accidentally leaked portions of its own program code, causing some security experts to call into question the security of all social networking sites.

Over the weekend, the popular site accidentally exposed some of its program code to users. The homepage display code, which was hidden again quickly according to Facebook, was posted on various blogs.

Despite the mistake, the leaked code didn't release any user information, according to the company.

"A small fraction of the code that displays Facebook Web pages was exposed to a small number of users due to a single misconfigured Web server that was fixed immediately. It was not a security breach and did not compromise user data in any way," a Facebook spokesperson said in an e-mailed statement to ABCNews.com. "Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further."

According to several experts, the leak was an embodiment of what has always been a problem for social networking sites: security.

The leak "shows the danger of how much you can trust a social networking site," Robert Graham, CEO of Errata Security, a high-end security firm based in Atlanta, told ABCNews.com. "All the social networking sites are rife with security problems and the targets of hackers as well. … There's widespread hacking at social networking sites."

Several security firms and attendees at Black Hat and DefCon, two conferences for hackers, last week in Las Vegas, presented ways that social networking sites could be hacked into.

At Black Hat, Graham demonstrated the vulnerability of the sites in public Wi-Fi hotspots, a hackers' conference in Las Vegas, earlier this month. According to Graham, hackers can easily take control of your profile at Facebook or MySpace by using a program that "steals cookies."

Over the years, MySpace has also been targeted by several worms, self-replicating programs that can multiply without detection and deliver viruses to users.

"MySpace has had far more [security] problems than Facebook," Graham said, primarily because hackers have been paying more attention to the site.

"Of course the whole pint of social networking is for people to get in contact for you. At the same time it's a risk the more people know your contact information the more people can do bad things to you," he said. "Security is always a tradeoff. If you want to hide your information, you're hiding for the world. Just be aware of the risk when you do it."

'Little to No Security'

In profiles on Facebook, users can enter a host of information including their addresses, their phone numbers and their workplaces, along with their name and e-mail address. Each field of information can be set with various privacy protections over who can access the information and even if your profile will show up in a search of the site.

No matter what their privacy settings, users should be careful what they enter, according to Robert Siciliano, an identity theft security expert and the CEO of IDTheftSecurity.com.

"There's little to no security in these sites. One way or another [your profile] can be compromised," Siciliano said. "Hackers are constantly infiltrating these Web sites. ... That's never going to stop."

The best way to protect yourself, according to Siciliano, is to be aware of the risks.

"Do not enter any data that could potentially compromise your identity," Siciliano said. Such information includes credit card information or social security numbers.

Social networking site users should also ask themselves several key questions: "'Is what I'm doing currently putting myself in an insecure position? If I reveal this information about myself, who could potentially have access to it and what could they do as a result?'"

But not all the experts agreed. Despite these alarm bells, the specific code release doesn't mean much for Facebook's security, according to Jon Giffin, an assistant professor at Georgia Tech's School of Computing Science and a researcher at the school's Information Security Center.

The leaked code was display code that is not revealing, Giffin said. "Interesting code is found elsewhere."

"Sure you can question whether that misconfiguration may reveal lax measures on their end. I wouldn't necessarily say that's the case. They're humans," he said. "I'm not a Facebook user, but if I was I would not be terribly concerned by this. … I don't think it will make it easier to hack."