Chris Putnam: The First Facebook Hacker

For even just once in your entire usage of the Facebook chat application, have you ever seen anyone of your friends display a face of a certain dude facing upward to the right? Whenever you see that face, you would always have to be intrigued just about who that guy is? And how important is he that he gets to be the only person whose face is used as a Facebook emoticon?

If you’d ask your friends how they could do that, they might just simply tell you that it’s done by typing, :putnam: and that curious comes out of the chatbox. But then again, the main question yet remains: Just who in the world is that Putnam guy anyway?

If you’d look back up there on the title, you’d know that the first name of the Putnam guy that we’re talking about is Chris Putnam. And again, just who is that Chris Putnam? The answer is short, and it is the only thing that you are most likely to find out about him on the internet: He is the engineer of Facebook. That’s it.

Almost all of the data you can find all over the web would be just as dull as that – Chris Putnam, the guy who became instantly famous, or infamous, after including his face on the list of Facebook emoticons and smileys, is the engineer of Facebook – nothing more, nothing less.

Isn’t it a bit blank of a moment if you’ve just searched that guy’s name to know that? So to help you satisfy at least a bit more – just a little bit more – of your curiosity: There have been some stories telling that it wasn’t him who put that in the first place; they said it was his friends.

In the end, the Putnam emoticon, is just, well, the Putnam emoticon and you may use it to your own accord. Here is his real picture taken from his Facebook blog.

So, what’s the reason because of which he got hired on Facebook?. Didn’t got yet?.

Here’s something which clearly describes the incident:

Chris Putnam, I am this person.

Around the end of 2005, I worked on a series of hacks and pranks on Facebook with my friends Marcel Laverdet and Kyle Stoneman. One of these pranks was an XSS-based worm that spread through Facebook profiles by way of an unsanitized profile field (Websites).

Our worm code would rapidly and silently copy itself from profile to profile, spreading virally through friends viewing one another’s profiles. The code itself was run off of an off-site server under my control, so at any time I could change the script that was running on everyone’s profiles.

Before seeding the worm, Marcel and I wrote a tiny JS library that replicated a bunch of FB functionality like adding a friend, poking, messaging, wall posts, etc. This let us quickly modify the master script to do different things with the controlled accounts. I then made the first “generation” of the worm include this library and upon execution, silently send a friend request to my test account. This way I could easily track the number of infected users as the outstanding friend request number ticked up on my homepage.

Meanwhile, Marcel and Kyle were working on the comedy: a CSS stylesheet that perfectly re-styled Facebook profiles into MySpace profiles (circa 2005). It was really impressive work and rearranged all the fields on the profile into MySpace’s ugly boxes and color scheme.

So the first generation of the worm had three symptoms when you viewed an infected profile: (a) It friended my test account; (b) It re-styled the profile to look like MySpace; (c) It copied itself to your own profile.

The modified profiles lasted less than a day before Facebook started getting complaints. And this quickly led to a series of hilarious friend requests of numerous employees at Facebook as they got infected, including internal test accounts known as “The Creator”. Seeing that infection we thought we got Mark Zuckerberg at that point and declared the operation a smashing success. [note: “The Creator” was not Zuck’s account, and I’m not actually sure if he got hit with the worm or not.

In hindsight, we thought we should have spread the worm as much as possible without any visible symptoms. But at the time I was highly confident Facebook would detect the XSS vector before we’d get very far at all, so I wanted to get as many profile views with the custom stylesheet as possible. Kyle and Marcel are still kicking me for that one. We had other opportunities for fun later though, including a second smaller worm that spread through photo captions where Marcel had the worm post random messages to random friends’ walls (e.g., “Hey, nice shoes.” or “This wall is now about trains.”).

As fixes started rolling out for the worm, I got a message in my personal Facebook inbox from co-founder Dustin Moskovitz. His knowledge of my identity didn’t come as much of a surprise since the worm’s interaction with my account was a dead giveaway and we even went out of our way to provide contact information in the source code and CSS file. I’m having a hard time finding the exact text of his message right now, but it was along the lines of “Hey, this was funny but it looks like you are deleting contact information from users’ profiles when you go to replicate the worm again. That’s not so cool.” This then led to a lot of back-and-forth between myself and Dustin where I explained the worm in detail and other holes I had found and planted worms within. He was incredibly friendly about the whole thing and we continued talking fairly frequently over AIM for a month or so. I pulled a couple more dumb stunts during this time, in particular locking up several college databases testing SQL injection holes.

At the time I was getting pretty bored with college at Georgia Southern University and really wanted to move to Silicon Valley anyway. In January of 2006, I had a friend in San Francisco who offered me an interview at his company, which seemed like a great opportunity to get out. I told Dustin about this and he immediately offered me an interview with Facebook.

Now, this seemed pretty nice and all, but this was a period in tech history where MySpace had just gone through something extremely similar–guy makes harmless XSS worm, the company offers to hire him–but in their case, they had him arrested as he arrived at LAX and turned him into a convicted felon.

With Samy in mind, I saved up a lot of extra cash and brought a friend with me to California to help in case things went south at the “interview.” But everything was uneventful up until I was standing outside Facebook’s office in Palo Alto. At that point, I got pretty worried they’d change their tune once I got inside. I got in the elevator, it went up to the 2nd floor where I was to meet Dustin, and the doors opened with Dustin–not cops–standing right in front of me. This was an enormous relief for me, with the subsequent interviews really easy on my nerves in comparison. [Dustin recently joked that “it’s just a really long con; the cops will be waiting for you!”]

I was hired right away and actually started working just a few days after the interview. Later that summer, we were able to convince Marcel to drop out of school and join. Kyle was less interested in Facebook at the time and has since graduated school and continued working on various tech projects in the political world in Washington D.C.

I will be forever grateful that the company was so sympathetic toward people like myself. It’s one of the things that really sets Facebook apart with its passion for scrappy, hacker-type engineers

Chris Putnam showing facebook’s HD video feature

In this video, Chris Putnam, a software engineer at Facebook who runs the video team, talks about its new HD video feature. He also tells how he got his job at Facebook, which is quite interesting because now you also know that it wasn’t with a traditional interview.