If you haven’t heard already, a few pages of PHP source code for Facebook were leaked online. The site wasn’t hacked so much as a back door was left open.
Here’s what Facebook had to say:
â€œA small fraction of the code that displays Facebook web pages was exposed to a small number of users due to a single misconfigured web server that was fixed immediately. It was not a security breach and did not compromise user data in any way. Because the code that was released only powers the Facebook user interface, it offers no useful insight into the inner workings of Facebook. The reprinting of this code violates several laws and we ask that people not distribute it further.â€
Some geeks were elated, some horrified, and some just shrugged. I fall into the third category.
It did offer a glimpse behind the wall of one of the most hyped companies of the moment and it’s always interesting to see how the industry leaders are doing things. While the code could provide details that might compromise the security of their other servers and pages, I’m guessing they are already re-engineering their setup to make any clues useless.
But this leak doesn’t mean that PHP is flawed. It doesn’t mean that any server hardware/software choice was to blame. It was misconfigured. It was human error. (“This sort of thing has cropped up before and it has always been due to human error.”)
Instead it is a cautionary tale about being thorough and vigilant. It should remind web developers and users not to assume sites are secure just because the code is good or the company is reputable. A website is only as secure as it’s weakest link. You can only take a limited amount of security for granted.
If you want to try to improve some of those weak links on your site… Nik Cubrilovic offers four tips to help prevent your server from doing the same thing. (Though a lot of people have blasted his assertion that PHP is known to sometimes return source code…) Vidyut Luther lists three more tips that can help.