If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I have been entertaining friends and family this weekend so when I finally opened up Google reader it was with great surprise that the first story that come up is about Facebook having leaked some of its source code. My immediate reaction was that it was some form of hoax and that the code that was posted seemed at best amateurish which also gave me doubts to its origins.

It did not take much further reading before I came across Mashable coverage and TechCrunch’s post which included a confirmation from Facebook.

“Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.”

It seems that this problem has been present for a while but until now those who were affected were not technical enough to recognize that the page of PHP appearing was worth reporting.

In reality this single page does not reveal a massive amount about the real structure of Facebook. The entry page of most large PHP applications will always be the glue that brings everything else together and glue is really not that interesting.

Although the flavor of glue they are using does not taste good to me (it’s not using Model View Controller) it is sticking to tried and tested ways of using PHP. Which in most cases is ‘keep it simple’. However, It does break a whole host of maintainability rules and has serious over use of block IF statements which then have further dependencies later in the code. And lastly the arbitrary inclusion of unnecessary files makes me question either that.

A) They have more servers than god and do not need to care about optimization.
B) They know something I do not and that autoload (or an autoloading mechanism if it is not PHP 5) is not worth bothering with.
C) Every file IS required for every page request.

So what will the fallout be? The code does on initial inspection look like the chance of vulnerabilities is low as very few PHP calls are made (as I said it is just glue) and therefore it is unlikely a clear injection vulnerability will appear immediately. I am sure they will also take steps to further patch anything they think could become comprised by the leaks (I sure as hell would have a team working on it.)