A bunch of tech commentators on Hacker News are talking about how easy it is to read Facebook source code, and some say it could pose a risk to the social media site. Users can literally look inside snapshots of Facebook’s digital world because its engineers dumped a load of information in Pastebin, which is a platform for storing and sharing text.
The discussion is a reaction to a recent post on the Sinthetic Labs blog. A guy called Nathan Malcolm explains how, in 2013, he was fixing “a few bugs” while using software development tools and “ended up finding about a lot more about Facebook’s internals that I intended.” Sinthetic Labs is a security research group. Malcolm says all he did was Google an error message and ended up finding a specific link to a Pastebin post. As he investigated further, he stumbled across various pieces of data that paint a picture of what Facebook looks like behind the scenes—in a digital sense, anyway.
He found what looked to be names, commands, and other “interesting information.” As you’ll see in an example below, the code probably won’t mean much to most people, but letting it roam free on the internet “probably wasn’t the smartest move,” Malcolm says.
When discussing some of the files (not the image above), Malcolm explains:
The person who, likely, posted this was “emir.” This may be the person’s first name, or it could be their first initial and then their surname (E. Mir). It’s clear this output was intended to be seen by another engineer at Facebook, so posting it on Pastebin probably wasn’t the smartest move. This person may have made other slip ups which could make them a target if an attacker sees an opportunity.
Malcolm concedes that his findings don’t really pose a direct threat to Facebook, but suggests the resources could in extreme circumstances. He even found Facebook’s password for MySQL—the open-source database management system. Crucially, Malcolm says Facebook’s servers are heavily firewalled, so the information is effectively useless unless “you manage to break into Facebook’s servers,” he notes.
Overall, lots of people appear simply amazed at how easy it is to see this stuff. One comment on Hacker News says that “while some leaks may not even be effective outside Facebook’s internal network … having actual code that may be in production does pose a risk. The possibility to see where, for instance, data isn’t fully sanitized, or where information being fetched might not require proper authentication is more worrying.”
Another person mentions another source of files. They say: “I’m amazed at how many username/passwords are freely available via github search.” The bottom line is, “If you do not want someone to find it—do not publish it online.”