Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Breaks Major Websites With Redirection Bug

Posted by Soulskill on from the now-we're-tripping-on-virtual-power-cords dept.

johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"

33 of 179 comments (clear)

  1. so... by liamevo · · Score: 5, Insightful

    can we please stop relying on third parties for things *you* should be providing to your users.

    1. Re:so... by Seumas · · Score: 5, Funny

      Hey, just because all of my forum stuff comes from Disqus, my word of mouth spreading comes from twitter, facebook, and google plus integrations, and my content comes from automatic AP feeds doesn't mean I don't provide anything myself! I . . . . uh . . . .

    2. Re:so... by orthancstone · · Score: 5, Insightful

      On one hand, I'd prefer to see authentication in the hands of someone I consider more reliable (like Google) than someone programmer of questionable ability at (Insert Random Dying Newspaper here).

      On the other hand, a hearty "HA HA!" does feel appropriate here. They do get what they are asking for by being so deeply tied to a third party.

    3. Re:so... by saveferrousoxide · · Score: 5, Funny

      I deal with the goddamn customers!

    4. Re:so... by CastrTroy · · Score: 4, Interesting

      I know a guy who does this. He pulls in about $50 a month with a site that basically runs itself. The only reason I don't do it is because the "ads" he ends up generating money off of are the kind that pay out when the visitor to his site installs a tool bar or some other nefarious thing. The only reason I wouldn't do that is that I don't think it's ethically correct to lure people into installing stuff they don't want on their computer. But I imagine that someone who's ambitious enough, and who sets up enough sites could generate quite a bit of money like this.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    5. Re:so... by davester666 · · Score: 2

      ...said the person who just finished installing an autoreply bot...

      --
      Sleep your way to a whiter smile...date a dentist!
  2. Congrats by Anonymous Coward · · Score: 5, Insightful

    If you let others insert scripts into your pages they can steal your visitors.

    Maybe it'll make sites think about who they script src from.

    1. Re:Congrats by FireFury03 · · Score: 4, Insightful

      If you let others insert scripts into your pages they can steal your visitors.

      Maybe it'll make sites think about who they script src from.

      One of the bad things I've noticed recently is that HSBC is including objects from third party organisations in their ebanking login pages. I do wonder if any thought has gone into the security of such things, or if HSBC simply don't care (my experience of banks tells me that none of them have a single clue when it comes to internet security).

      --
      http://blog.nexusuk.org
    2. Re:Congrats by Anonymous Coward · · Score: 2, Funny

      Well if drug kingpins and terrorists use them, they must be a pretty good bank.

  3. Here Endeth The Lesson. by fuzzyfuzzyfungus · · Score: 2

    Not that it will; but let that be a lesson to you.

  4. facebook by hackula · · Score: 4, Funny

    The first successful test. Soon every site will redirect to facebook, then... the world!

  5. Single point of failure by Anonymous Coward · · Score: 2, Interesting

    Recently we have seen very widespread "single point of failure" issues. Notably with Facebook and Apple who are both so pervasive in society. These firms are constantly doing major and complicated software updates and those updates are propagated either invisibly in the background or introduced through "voluntary" software updates where you don't get major new features unless you do the update and you have to simply live with whatever bugs or feature cripples come along with it.

    The fact so many people are dependent on these very small number of very human folks is a large "single point of failure" risk for society and its individual, business, and government segments.

    JJ

    1. Re:Single point of failure by SJHillman · · Score: 3, Informative

      I use Facebook, I admit it. However, I only use Facebook for Facebook. If I log in to another site, I don't use the "Connect with Facebook" option to log in. If the site only allows you to log in with Facebook, I leave. I've yet to find a mission critical site like banks, etc that use Facebook or another service. Therefore, I'm doing my part to save humanity from the single point of failure.

  6. Re:Um... How? by belthize · · Score: 3, Interesting

    I suspect horrible article is the main culprit. At a guess I suspect this is nothing more that Facebook's authentication service failing.

    Client is directed to Facebook for authentication, mechanism fails, Facebook tosses up error page. The implication that Facebook did anything wrong other than having buggy authentication is likely way of base.

    Full disclosure, don't have a facebook page, never visited a facebook page, have zero interest in facebook.

  7. Re:Good. by Anonymous Coward · · Score: 2, Funny

    They prefer to be called facebook serfs

  8. I keep trying to use Facebook. by hessian · · Score: 5, Insightful

    I've come to the conclusion that social networking is screwed up because the people who use it most are the people who are least invested in reality.

    Every time I try to use Facebook, I get driven away by the behavior of its users. Not the Instagram dinner plate updates, or the personal drama, because I've already filtered out those people.

    It's the sensitivity. People take anything seriously. I posted an article showing that divorce really screws up kids. I got back a half-dozen replies, all from people who'd had divorces, defending their own decisions. When I said that it wasn't personal, they said they still felt attacked.

    There were other instances of similar behavior too. People hover around Facebook, looking for some reason to cause a scene. Why was this, I wondered.

    It seems to me that if you have found something worth doing in life, you're mostly doing it. That doesn't mean your job. If your job sucks, you've probably got a project on the side. You're not going to devote your time to screwing around, which is what most people on Facebook do.

    This means that social networking including Facebook selects out the people who have any direction in life, and leaves the resentful, bored, unemployed, disabled, upset, insane, teenage, etc. and concentrates them in large numbers. This is why so much of the response is crazy.

    I should amend the post title. I used to keep trying to use Facebook (and MySpace, Digg, Reddit, Friendster, Pinterest, etc.). But now, I don't. These aren't places where healthy people hang out.

    --
    Futurist Traditionalism
  9. Re:Um... How? by Culture20 · · Score: 3, Informative

    These sites are including javascript from facebook. Check your noscript/requestpolicy lists on those pages and you'll be surprised how many external sites those pages include javascript and images from. This was bound to happen (and worse things have probably happened in secret).

  10. Story Subject Fail by OzPeter · · Score: 4, Informative

    Facebook did not "Break major websites". Instead Facebook users who were logged in to Facebook (and hence working under the auspices of Facebook) were screwed over when they went to third party sites. Sheesh .. even TFS explains that.

    Are we now starting to refer to the Internet as teh Facebook???

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:Story Subject Fail by Bogtha · · Score: 2

      Instead Facebook users who were logged in to Facebook (and hence working under the auspices of Facebook)

      I think you've misunderstood. By "logged into Facebook", they don't mean they were actually looking at Facebook at the time. It means they had previously logged into Facebook at some point and their browser has a cookie saved which authenticates them to Facebook.

      These people were surfing the web normally. They weren't on Facebook. They got to a site that used Facebook for authentication, and the JavaScript that these sites embedded to enable that had a defect in it that noticed they were logged into Facebook and caused the error.

      From the end user's perspective, it was simply a case of surfing as normal, and then suddenly a Facebook error message hijacked the website they were trying to visit.

      --
      Bogtha Bogtha Bogtha
  11. Re:Um... How? by Anonymous Coward · · Score: 4, Insightful

    In short, "Web bugs", short bits of code that are included inline from another provider. Basically these sites had on their front page a "get shit from facebook" or some such badge displayed, that badge is not created by the site owner but is sourced inline from facebook, now if the thing they pull from facebook is broken and facebook presents a redirect to your browser in place of the web bug (badge, whatever) then your browser dutifully redirects.

    If facebook were malicious they could commandeer half of the web.

  12. It Has Its Ups and Downs by eldavojohn · · Score: 5, Interesting

    can we please stop relying on third parties for things *you* should be providing to your users.

    Clearly it has benefits and disadvantages. One of the disadvantages is displayed in this story. I could name a decent amount of benefits though: 1) you don't have to register again and again every time you want to use some site. 2) you don't suffer from password fatigue. 3) you don't have to worry about no talent ass clowns storing your username and password in plaintext (although you do have to worry about facebook being no talent ass clowns about that). 4) if I just want to stand up a quick little site that is nothing more than CRUD associated to users then all that login stuff can be offloaded to facebook or whomever. 5) from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).

    Are you opposed to openID too?

    --
    My work here is dung.
    1. Re:It Has Its Ups and Downs by Rockoon · · Score: 4, Insightful

      Indeed.

      I think many people are in support of third party authentication semantics for non-critical sites..

      Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

      --
      "His name was James Damore."
    2. Re:It Has Its Ups and Downs by DogDude · · Score: 2, Insightful

      from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).

      For an individual, there's only one edge: a sharp one. Who in their right mind would want every company/web site to know all of the intimate details of what they're doing on every other web site? Isn't it obvious to people that by signing in with a Facebook ID to web sites, that not only does Facebook track everything done, but then sells that information to everybody else? That's how those extremely complete personal profiles are created about individuals in corporate databases that are then swapped and sold indefinitely. What benefit could this possibly have for individuals?

      --
      I don't respond to AC's.
    3. Re:It Has Its Ups and Downs by whargoul · · Score: 5, Interesting

      ...what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

      I use Twitter when the option is available only because they don't collect data on me like facebook does. If it's facebook only, I usually won't sign up.

    4. Re:It Has Its Ups and Downs by Sockatume · · Score: 2

      If Facebook sold that information you'd have a point, but as it's not disclosed in any of their privacy literature that'd be a monstrous and legally actionable breach of their information protection obligations.

      --
      No kidding!!! What do you say at this point?
    5. Re:It Has Its Ups and Downs by DragonWriter · · Score: 3, Interesting

      Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

      OpenID. Sure, a provider having a similar error could stop users of that provider from logging on to your site, but its not a single point of failure for the entire site, its a single point of failure for the user and all the sites they use it to log into.

    6. Re:It Has Its Ups and Downs by DogDude · · Score: 2, Insightful

      Hey kid, I've got a bridge to sell ya'....

      --
      I don't respond to AC's.
  13. Re:Details: Logging in from 3rd party sites? by SJHillman · · Score: 5, Informative

    The third-party sites load a chunk of Facebook onto their site, so if you're logged into Facebook then you're logged into that chunk on the third-party site. The third-party site doesn't have your login or information - it's passed between you and the chunk of Facebook on that site. Or at least, that's how it's supposed to work.

    It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.

  14. Re:Um... How? by Anonymous Coward · · Score: 2, Insightful

    The key is "client is directed to Facebook". Sites include 3rd party scripts all the time, blindly executing whatever gets sent back. If that includes a simple assignment to window.location, there's your redirect.

  15. Re:Um... How? by Anonymous Coward · · Score: 4, Interesting

    The Steam browser is a nice example of facebook javascript gone wrong. Every page with a "like" script on it redirects to some facebook address as soon as the page finishes loading. The end result is that you see what you wanted to see, but the URL bar is always some sort of lenghty facebook redirect because Steam is trying to load it somehow but fails and leaves you on the page you wanted to visit anyway.

  16. What's also interesting... by raehl · · Score: 3, Interesting

    ...I got this bug on a website I do *NOT* use Facebook to log into, so the Facebook statement appears incorrect in that regard. (I was logged into Facebook in that browser though.)

    --
    paintball
  17. Re:And... by lattyware · · Score: 2

    Which is why we should be asking for two-factor auth on every site, and using unique random passwords stored in a password vault for websites that need passwords. That way, if someone gets your password, it's a) useless without your phone b) useless for any other site. Unfortunately, it's extra hassle for developer and end user, so only a few people do it.

    --
    -- Lattyware (www.lattyware.co.uk)
  18. Re:Um... How? by chihowa · · Score: 2

    Worse than that. Many (most?) of them have you pull the foreign code from the foreign site directly. So even if they did audit it, the foreign site could change the code and their site would dutifully ask you to run it.

    --
    If you want a vision of the future, imagine a youtube comments section scrolling - forever.