“How a PHP Exploit Made Me the Prime Suspect,” Says George Clooney

“This is a story from 2004, the year of both ‘Ocean’s Twelve’ and Facebook. A remote exploit of PHP pointed at me as the prime suspect,” says George Clooney.

Clooney writes this in a letter, and adds real quick:

“I’m married to a barrister and I am a big fan of nice back-ends, but the similarities stops there!”

“I’m not THAT Clooney!”

Hey, Cheeky Coder.

It was the year of both “Ocean’s Twelve” and Mark cooking up this Faceguestbook in his dorm. It was called Faceguestbook back then. The page which is now branded as your timeline was a simple guestbook scripted in PHP. I was allowed in fairly early with my george.clooney at harvard.com email address. It was even back then possible to upload your own pictures, in albums and as profile picture. There was only one problem; PHP before 4.3.10 allowed remote attackers to execute arbitrary code via a long section name in an image file. One night every profile image of every account was replaced with one of the other George Clooney – and the status texts replaced with “Danny Ocean Was Here – Guess Who!” Most people guessed me, of course.

It wasn’t.

Best regards,

George Timothy Clooney


This is a post in the George Clooney series. Posts in this series:



Please follow me on Twitter and let my my feed sit idle in your RSS reader.