

A look inside Facebook's source code - evandrix
http://sintheticlabs.com/blog/a-look-inside-facebooks-source-code.html

======
anw
Interesting.

It's also interesting that Facebook developers are using Pastebin for things
such as this. I would assume that they'd have an internal wiki, or gist-like
app.

It's also noteworthy to see how they set up their accounts: first initial,
full lastname—same standard as many other companies. But seeing it laid out
can help in the guessing of other names (or common name occurances, as you
don't even need a full first name).

While some leaks may not even be effective outside Facebook's internal network
(things such as database credentials, network shares… hopefully), having
actual code that may be in production does pose a risk. The possiblity to see
where, for instance, data isn't fully sanitized, or where information being
fetched might not require proper authentication[1] is more worrying. Facebook
is known for promoting "move fast and break things". Hopefully they have good
QA and SDET teams to catch these things.

[2] One code snippet features the following: > // TODO: add privacy checks!

~~~
rjayatilleka
I'm not surprised they don't have a gist/pastebin like app. When I interned at
Amazon this summer, they were just developing one, and it was still pretty
alpha (persistence was buggy and lost me an entire design review of notes).
Facebook is younger, so it seems fair that they don't have one.

~~~
TTPrograms
Facebook has been around for a decade at this point. Youth isn't much of an
excuse.

------
pilif
Tangentially related, I'd like an opinion on this:

 _> Okay, so it's not the most secure password. But Facebook's database
servers are heavily firewalled. Though if you do manage to break in to
Facebook's servers, there's the password._

What is the point on even having a database password? The application itself
needs access to the database, so the application needs to know the password.

That means that an attacker who gains access to the application can easily
just look at the file where the password is stored and then use that to access
the database.

Even if you'd go great lengths at keeping asking for the password at server
start and only keeping it in memory - once an attacker is on the application
server, the password is in memory and can be snooped.

So the question is: Why even use a password for the web application? In my
case, I'll just let the application servers connect to the database without
password.

~~~
dsl
A password means you can't access the database server from a mail server or
file server. Complex environments have more than just a database server and a
few web servers.

~~~
pilif
That's why my pg_hba.conf is configured to only allow app servers passwordless
access.

~~~
daigoba66
Bingo. And in the MSSQL world it's common to also have Active Directory and
use that for authentication (each server automatically has a unique "account",
and SQL login permission can be granted using that).

------
misiti3780
fascinating stuff. I'm still amazed at how many username/passwords are freely
available via github search:

[https://github.com/search?p=96&q=gmail+password&ref=searchre...](https://github.com/search?p=96&q=gmail+password&ref=searchresults&type=Code&utf8=%E2%9C%93)

even if they have 2-step auth setup, people choose "complete the email
address" as a form of authentication which you can most likely get from their
github profile.

the moral of the story here is - if you do not want someone to find it - do
not publish it online

~~~
icpmacdo
Im not a hacker/cracker or whatever but I am curious would it be illegal to
use one of those usernames and passwords to see if it actually worked for an
account?

edit: I know that it is not ethical and I am only slightly tempted to do it
but is it actually illegal to use open source code in that way?

~~~
IkmoIkmo
Depends on the jurisdiction, but generally yes it'd be illegal.

You can compare it to opening someone's home because he left his key in a
public place unbeknownst to him.

You generally couldn't make the argument that 'he may have wanted people to
have the key, that's why he left it in a public/open source place'. Firstly,
one can't assume that, so we must hear it explicitly before it's true. And
secondly, if universal open-source access was provided, there wouldn't be a
key to find as there wouldn't be a lock in the first place to allow specific
access. The whole point of a password or key means you do not want fully open
access to all, meaning any password or key in an open-source project is likely
unintentional, a mistake, and thus you'd be entering without permission which
is illegal in most jurisdictions.

------
shaunpud
Part 2; [http://sintheticlabs.com/blog/a-look-inside-facebooks-
source...](http://sintheticlabs.com/blog/a-look-inside-facebooks-source-code-
part-2.html)

------
superasn
I found an interesting post from "karthimx" [1] made on Jun 30, 2010.

It too contains the password "e5p0nd4". This user didn't do any hacking or
googling but got this error browsing facebook. He says "Suddenly I got this
error message in Facebook" (so apparently inside the production environment,
wtf?).

[1] [https://forums.digitalpoint.com/threads/facebook-error-
messa...](https://forums.digitalpoint.com/threads/facebook-error-
message.1855399/)

[2]
[http://www.zyngaplayerforums.com/archive/index.php/t-545034-...](http://www.zyngaplayerforums.com/archive/index.php/t-545034-p-3.html)
\- Another one from 2010!

------
Alex3917
Somewhat ominous for top HN users:

[http://pastebin.com/6GeZnS9b](http://pastebin.com/6GeZnS9b)

~~~
ssclafani
This was someone's attempt at a bitcoin public challenge:
[https://news.ycombinator.com/item?id=6765801](https://news.ycombinator.com/item?id=6765801)
(Get a wallet's passphrase which was the username of someone in the Hacker
News top 100, minus 2 characters).

~~~
petercooper
Was amused to click through and see it was my username involved.

Mostly as I gave up ever trying to do anything with Bitcoin because I simply
can't get my head around any of the practicalities, lol, so it definitely
wasn't anything of mine! ;-)

------
Buge
Reminds me somewhat of this
[https://twitter.com/dumpmon](https://twitter.com/dumpmon) which monitors all
pastes for email and password dumps. You can use
[https://haveibeenpwned.com/](https://haveibeenpwned.com/) to search if your
email has ever been leaked/dumped.

------
bmeckel
Pastebin has TONS of stuff lying around, it's pretty fascinating. I've always
wanted to spend some time digging around there, but haven't gotten around to
it.

~~~
misiti3780
is there a public api?

EDIT - there is - i had no clue:
[http://pastebin.com/api#1](http://pastebin.com/api#1)

