Facebook was down for hours today — the company’s error screen says this was due to an upgrade. Multiple sources, though, are pointing to a software bug.
[Update: It was a bug and the site is now live. From Facebook:
This morning, we temporarily took down the Facebook site to fix a bug we identified earlier today. This was not the result of a security breach. Specifically, the bug caused some third party proxy servers to cache otherwise inaccessible content. The result was that an isolated group of users could see some pages that were not intended for them. The site has now been restored and we apologize for any inconvenience this may have caused.
Previously published story continues, below.]
One blogger, mDibb (see below) reports he was able see others’ email addresses displayed when he tried to log in as himself.
Another source — from within Facebook’s community of third party developers — reports that some users have been able to log in as themselves yet are somehow accessing others’ inboxes once they have logged in.
As we understand it, both problems could stem from Facebook not being able to correctly track which user you are on your computer. The company has said that it introduces updates to its code on a weekly and even daily basis — it appears the bug was introduced along with a recent update, and the company is now scrambling to remove it.
We are currently trying to verify these problems, and we’re awaiting a response from the company. Expect updates.
We have also heard that Facebook was aware of these problems while the site was live, and decided to take it down in order to make repairs.
So I cleared the cookie and went back to Facebook again to log in. But now the Facebook page was showing me a completely different email address. A quick look in the source code and sure enough the email address was hard-coded into the <input> tag’s value attribute! If I refreshed the page immediately I got my email again, but if I closed the browser and left it for a few minutes then went back – bingo! Another person’s email address had appeared! I wonder how many “live” email address got harvested today? I know I saw at least 5 or 6 and I was only looking for a few minutes…
So fast forward another couple of hours and I visit facebook again – now more out of curiosity than clinical addiction – and there is a notice up (click for larger version):
Pardon my paranoia, but is this not pretty odd? No prior warning, no adverts, no schedule, the source code has what looks like some frantically hand-coded HTML using <center> and <br> despite the XHTML doctype . Makes you wonder. What happened today Facebook?