Facebook was down for hours today — the company’s error screen says this was due to an upgrade. Multiple sources, though, are pointing to a software bug.
[Update: It was a bug and the site is now live. From Facebook:
This morning, we temporarily took down the Facebook site to fix a bug we identified earlier today. This was not the result of a security breach. Specifically, the bug caused some third party proxy servers to cache otherwise inaccessible content. The result was that an isolated group of users could see some pages that were not intended for them. The site has now been restored and we apologize for any inconvenience this may have caused.
Previously published story continues, below.]
One blogger, mDibb (see below) reports he was able see others’ email addresses displayed when he tried to log in as himself.
Another source — from within Facebook’s community of third party developers — reports that some users have been able to log in as themselves yet are somehow accessing others’ inboxes once they have logged in.
As we understand it, both problems could stem from Facebook not being able to correctly track which user you are on your computer. The company has said that it introduces updates to its code on a weekly and even daily basis — it appears the bug was introduced along with a recent update, and the company is now scrambling to remove it.
We are currently trying to verify these problems, and we’re awaiting a response from the company. Expect updates.
We have also heard that Facebook was aware of these problems while the site was live, and decided to take it down in order to make repairs.
So I cleared the cookie and went back to Facebook again to log in. But now the Facebook page was showing me a completely different email address. A quick look in the source code and sure enough the email address was hard-coded into the <input> tag’s value attribute! If I refreshed the page immediately I got my email again, but if I closed the browser and left it for a few minutes then went back - bingo! Another person’s email address had appeared! I wonder how many “live” email address got harvested today? I know I saw at least 5 or 6 and I was only looking for a few minutes…
So fast forward another couple of hours and I visit facebook again - now more out of curiosity than clinical addiction - and there is a notice up (click for larger version):
Pardon my paranoia, but is this not pretty odd? No prior warning, no adverts, no schedule, the source code has what looks like some frantically hand-coded HTML using <center> and <br> despite the XHTML doctype . Makes you wonder. What happened today Facebook?
5 Comments
-
a colored girl says said:
There was also this interesting report, which i found via clicking through to a blog from a CNET article:
Defacing Facebook: A Security Case Study
Adrienne Felt, University of Virginia
http://www.cs.virginia.edu/felt/fbook/facebook-xss-censored.pdf -
Ray Burt said:
Isolated…yeah, right.
-
Facebookworm said:
Did you know that Facebook was sponsored by a CIA agent?
-
accent chair furniture online rattan wicker said:
doll furniture house in ok store carolina furniture high north point store colorado equipment furniture installation office spring high point north carolina furniture store accent chair furniture online rattan wicker center entertainment furniture home oak online carolina east furniture pa smithfield wholesale pine log furniture bear lake utah pine log furniture bear lake utah
-
steve moongah said:
my facebook has been down for 9 days now, it only opens with errors on it.Can’t access my profile page, nor can i reply to anyone.All i t will allow me to do is view some messages in my inbox. all other sites are fine only facebook is giving me problems. Can you please sort this out for me as i am loosing touch with all my friends. Many Thanks Steve.
2 Trackbacks
3:24 pm
Facebook Down Because Of… « winklestiltskin said:
[...] read more | digg story [...]
12:31 am
VentureBeat » Facebook roundup: Leaking code, growing up and solving copyright issues said:
[...] Facebook’s most prized possession is the data it has on its users — its social graph — and the company said that no user data was exposed. To put this in context: On July 31st, another security hole left open by the company appeared to have actually revealed some users’ data. [...]