Facebook Breaks Major Websites With Redirection Bug 179
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
so... (Score:5, Insightful)
can we please stop relying on third parties for things *you* should be providing to your users.
Re:so... (Score:5, Funny)
Hey, just because all of my forum stuff comes from Disqus, my word of mouth spreading comes from twitter, facebook, and google plus integrations, and my content comes from automatic AP feeds doesn't mean I don't provide anything myself! I . . . . uh . . . .
Re:so... (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
I deal with the goddamn customers!
I have people skills, damnit!
Re: (Score:2)
Re: (Score:2)
...said the person who just finished installing an autoreply bot...
Re:so... (Score:5, Interesting)
Re: (Score:2)
He pulls in about $50 a month with a site that basically runs itself.
Not bad. A site that pays for its own development in 2 years is not something to sneeze at, it took Facebook a lot longer than that.
It Has Its Ups and Downs (Score:5, Interesting)
can we please stop relying on third parties for things *you* should be providing to your users.
Clearly it has benefits and disadvantages. One of the disadvantages is displayed in this story. I could name a decent amount of benefits though: 1) you don't have to register again and again every time you want to use some site. 2) you don't suffer from password fatigue. 3) you don't have to worry about no talent ass clowns storing your username and password in plaintext (although you do have to worry about facebook being no talent ass clowns about that). 4) if I just want to stand up a quick little site that is nothing more than CRUD associated to users then all that login stuff can be offloaded to facebook or whomever. 5) from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).
Are you opposed to openID too [wikipedia.org]?
Re:It Has Its Ups and Downs (Score:5, Insightful)
I think many people are in support of third party authentication semantics for non-critical sites..
Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)
Re:It Has Its Ups and Downs (Score:5, Interesting)
...what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)
I use Twitter when the option is available only because they don't collect data on me like facebook does. If it's facebook only, I usually won't sign up.
Re: (Score:2)
I use Twitter when the option is available only because they don't collect data on me like facebook does. If it's facebook only, I usually won't sign up.
Of course Twitter collects as much data on you as they possibly can. How else are they making money?
Re:It Has Its Ups and Downs (Score:4, Interesting)
OpenID. Sure, a provider having a similar error could stop users of that provider from logging on to your site, but its not a single point of failure for the entire site, its a single point of failure for the user and all the sites they use it to log into.
Re: (Score:3, Insightful)
For an individual, there's only one edge: a sharp one. Who in their right mind would want every company/web site to know all of the intimate details of what they're doing on every other web site? Isn't it obvious to people that by signing in with a Facebook ID to web sites, that not only doe
Re: (Score:3)
If Facebook sold that information you'd have a point, but as it's not disclosed in any of their privacy literature that'd be a monstrous and legally actionable breach of their information protection obligations.
Re: (Score:3, Insightful)
Re: (Score:2)
Facebook is an advertising company. Their product is highly granular, per-user demographics and profiles. That product is based on information gathered from tracking their users' posts, relationships, browsing history and basically any info they can get their hands on (raw materials). The product is then sold to their customers; anyone who does a targeted media buy on their site, as well as advertisers and marketing firms.
Without the raw materials, Facebook would not be a for-profit venture and their sto
Re: (Score:2)
Who in their right mind would want every company/web site to know all of the intimate details of what they're doing on every other web site?
Most people would not want that.
But most people don't care. First of all most people don't even know, or consider what is actually happened. Secondly it is convenient for most people. And thats pretty much why it will continue.
Nothing to do with accounts (Score:2)
The problem yesterday had nothing to do with sites offloading authentication to Facebook. It was simply sites that have a little Facebook ad--like "what's popular on Facebook." I experienced this yesterday, just looking for a store location--there was a Facebook ad on the page that instantly redirected to Facebook.
Re:so... (Score:5, Insightful)
On the other hand, a hearty "HA HA!" does feel appropriate here. They do get what they are asking for by being so deeply tied to a third party.
What's also interesting... (Score:4, Interesting)
...I got this bug on a website I do *NOT* use Facebook to log into, so the Facebook statement appears incorrect in that regard. (I was logged into Facebook in that browser though.)
Re: (Score:2)
IMHO, OpenID is better. Whether google is trustworthy or not is a matter of opinion, and google can be just another OpenID provider. If we want a single provider, the world will never settle for a single trusted entity.
Re: (Score:2)
Re: (Score:1)
Let's just get in touch every CDN in existence and get them to shut down everything they're doing then. Clearly centralising providers of commonly-used resources is an abysmally terrible idea.
(Sarcasm, just in case you can't tell)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
"... can we please stop relying on third parties for things *you* should be providing to your users."
Actually, this probably didn't come from anything that is "provided" to customers.
Typically, when you link your site to Facebook (especially if you're not careful), you include a piece of JavaScript that Facebook supplies. Essentially, it's user-tracking, which is NOT a service "provided" to site visitors, unless you happen to like that sort of thing.
Sadly, many websites actually pull this JavaScript in realtime from Facebook itself, rather than hard-coding the JavaScript into their page.
So at any
Re: (Score:2)
Facebook JS files are not open source; by "hardcoding them", you're actually committing copyright infringement.
Re: (Score:2)
"Facebook JS files are not open source; by "hardcoding them", you're actually committing copyright infringement."
So? It's still the better way to go about it. The host company (like Google or Facebook) will never know. And if you don't? Look at the poor schmucks in TFA.
Of course, if you do that it has to be updated periodically; the host company can't update it on your site, so you have to.
But I am most definitely not in favor of making my websites hostage to other web services for their basic operation. That's just asking for trouble. As we can clearly see here.
Re: (Score:2)
Oh, and if you hardcode them, how do you expect them to be able to do XHR requests to their servers, in violation of the same origin policy [wikipedia.org]? There's no point in serving JS if you prevent it from working.
Re: (Score:2)
"Oh, and if you hardcode them, how do you expect them to be able to do XHR requests to their servers, in violation of the same origin policy? There's no point in serving JS if you prevent it from working."
I've never used any that did that, and wouldn't use any that did that. That's a violation of MY policy.
Congrats (Score:5, Insightful)
If you let others insert scripts into your pages they can steal your visitors.
Maybe it'll make sites think about who they script src from.
Re:Congrats (Score:5, Insightful)
If you let others insert scripts into your pages they can steal your visitors.
Maybe it'll make sites think about who they script src from.
One of the bad things I've noticed recently is that HSBC [hsbc.co.uk] is including objects from third party organisations in their ebanking login pages. I do wonder if any thought has gone into the security of such things, or if HSBC simply don't care (my experience of banks tells me that none of them have a single clue when it comes to internet security).
Re: (Score:2, Funny)
Well if drug kingpins and terrorists use them, they must be a pretty good bank.
And... (Score:1)
...people wonder i some of us block external crap on sites, not just ads.
Re: (Score:3)
Good. (Score:1)
Serves every one of these websites for being Facebook lemmings.
Re: (Score:2, Funny)
They prefer to be called facebook serfs
use adblock+ to block social media extensions (Score:1)
The fanboy adblock lists include another list you can add which also blocks out all social media badges etc.
Re: (Score:2)
Re: (Score:2)
Oh, great. Good plan. Completely block Facebook with a hosts file. This only affected logged in Facebook users. People who aren't going to add facebook's scripting domains to their hosts file.
Re: (Score:2)
On all my systems I replace hosts with this nice updated ad/spy/trojan blocking one:
http://winhelp2002.mvps.org/hosts.txt [mvps.org]
Can fellow /. readers recommend any other good ones?
Here Endeth The Lesson. (Score:3)
Not that it will; but let that be a lesson to you.
Re: (Score:2)
No NO NO you have to do it right
[play sound: THX Big Note.wav] THUS ENDETH THE LESSON
but anywho if i was one of those sites i would have my legal staff have a chat with Facebook about not having this happen again EVER.
Re: (Score:2)
Thanks teach! I have learned that people rarely learn the lesson. I think. Will this be on the final exam?
Um... How? (Score:2)
Re:Um... How? (Score:4, Interesting)
I suspect horrible article is the main culprit. At a guess I suspect this is nothing more that Facebook's authentication service failing.
Client is directed to Facebook for authentication, mechanism fails, Facebook tosses up error page. The implication that Facebook did anything wrong other than having buggy authentication is likely way of base.
Full disclosure, don't have a facebook page, never visited a facebook page, have zero interest in facebook.
Re: (Score:2, Insightful)
The key is "client is directed to Facebook". Sites include 3rd party scripts all the time, blindly executing whatever gets sent back. If that includes a simple assignment to window.location, there's your redirect.
Re:Um... How? (Score:4, Informative)
Re:Um... How? (Score:4, Interesting)
The Steam browser is a nice example of facebook javascript gone wrong. Every page with a "like" script on it redirects to some facebook address as soon as the page finishes loading. The end result is that you see what you wanted to see, but the URL bar is always some sort of lenghty facebook redirect because Steam is trying to load it somehow but fails and leaves you on the page you wanted to visit anyway.
Re:Um... How? (Score:4, Insightful)
In short, "Web bugs", short bits of code that are included inline from another provider. Basically these sites had on their front page a "get shit from facebook" or some such badge displayed, that badge is not created by the site owner but is sourced inline from facebook, now if the thing they pull from facebook is broken and facebook presents a redirect to your browser in place of the web bug (badge, whatever) then your browser dutifully redirects.
If facebook were malicious they could commandeer half of the web.
Re: (Score:2)
Re: (Score:3)
Worse than that. Many (most?) of them have you pull the foreign code from the foreign site directly. So even if they did audit it, the foreign site could change the code and their site would dutifully ask you to run it.
Re: (Score:2)
Slashdot itself loads a few JS files directly from third-party servers, particularly Google's (through Google Analytics).
Re: (Score:2)
I successfully made it to Papa John's web site to order pizza last night. When I got to the last page of checkout, I immediately got redirected to Facebook.
Apparently they're including Facebook Javascript code on all their pages, and I happened to be in the middle of ordering a pizza when the bug hit.
Why Javascript is allowed to redirect a web site these days without user intervention is beyond me. Most Javascript methods that open windows or navigate you require being triggered by a click event or other
Re: (Score:2)
I think a lot of web apps would break if Javascript couldn't mess with the window location / back button / tab history, etc. Think of things like Gmail and Google Docs. Unlike pop-ups and so on, it does actually have a useful purpose.
Re: (Score:2)
Back buttons would require a click. As long as they have to be tied in some way to a click the way pop-ups do. They aren't blocked, they just have to be proven as user-initiated.
facebook (Score:5, Funny)
Re: (Score:1)
Offer multibillion IPO
2. Seize conttol of internet
3. ???
4. Well, monetizing for profit is still problematic
Re: (Score:2)
Re: (Score:2)
The ultimate phishing attack.
Details: Logging in from 3rd party sites? (Score:1)
I was logged into Facebook when I got this redirect.
However, the website I got it from is one I have never placed a Facebook "like" on or written a comment on with my profile.
Does "a bug that redirected people logging in with Facebook from third party sites" mean that the site has my Facebook details?
The URL was this:
https://www.facebook.com/dialog/permissions.request?client_id=__15digitno__&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.website.com&origin=1&redirect
Re:Details: Logging in from 3rd party sites? (Score:5, Informative)
The third-party sites load a chunk of Facebook onto their site, so if you're logged into Facebook then you're logged into that chunk on the third-party site. The third-party site doesn't have your login or information - it's passed between you and the chunk of Facebook on that site. Or at least, that's how it's supposed to work.
It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.
Re: (Score:2)
It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.
Yes, but do we have to?
Most of those websites look crippled until the last of these dozen services finally loads 3 minutes later. Blockbuster.com used to hang (unresponsive) for about 30 seconds while the browser said "contacting adserve...fb.com".
Re: (Score:2)
Most of those websites look crippled until the last of these dozen services finally loads 3 minutes later.
I know, right? Browsing the web with NotScript (Chrome extension) is a real eye-opener. Some sites simply load as a blank white screen until you whitelist scripts to run! It's especially good when you first open a site, it has three sources for scripts, then when you enable one, suddenly 15 more appear in the list. It's great being able to disable most of the junk people toss on sites from the get-go, but sometimes it's irritating to have to dig through the long chain of scripts just to make a web site func
Re: (Score:2)
It's not the 90's anymore... you can load a page that's connected to dozens of different services that are almost completely independent of each other and the page you're on.
For some reason, that makes me a sad panda... :(
Re: (Score:1)
You don't need to like or comment. You have been logged automatically (as in: they know where you've been). It's a feature!
Re: (Score:2)
sdk=joey?
function getJoey()
{
return "Doh";
}
Single point of failure (Score:2, Interesting)
Recently we have seen very widespread "single point of failure" issues. Notably with Facebook and Apple who are both so pervasive in society. These firms are constantly doing major and complicated software updates and those updates are propagated either invisibly in the background or introduced through "voluntary" software updates where you don't get major new features unless you do the update and you have to simply live with whatever bugs or feature cripples come along with it.
The fact so many people are
Re:Single point of failure (Score:4, Informative)
I use Facebook, I admit it. However, I only use Facebook for Facebook. If I log in to another site, I don't use the "Connect with Facebook" option to log in. If the site only allows you to log in with Facebook, I leave. I've yet to find a mission critical site like banks, etc that use Facebook or another service. Therefore, I'm doing my part to save humanity from the single point of failure.
Re: (Score:2)
Unfortunately it sounds like this bug would have hit users such as yourself also. I think when leaving FB to visit another site it is best to log out.
Multi-instance/multi-profile browsers would also be something nice. Especially those that limit what they report about the machine they are on (less fingerprint via installed fonts/cookies/html5 dbs/flash objects/etc)
Re: (Score:2)
Re: (Score:2)
What was the apple one? I don't recollect it
The only one I can remember was when the server that responds to WISPr probes went down, rendering everyone's ipad unable to connect to a network...
Background:
When an iOS device associates with a wifi network, it makes a web request to apple's server to see if its behind a captive portal. It expects to get back "SUCCESS" (returned by Apple's server) or a captive portal login page (returned by the wifi hotspot). If it doesn't get "SUCCESS" it displays the captive portal page so the user can log in. Unfort
Re: (Score:2)
Windows does the same thing, but AFAIK the only thing that happens if it doesn't get the OK response is the user gets a little popup balloon from the system tray warning them an internet connection is not available.
Re: (Score:2)
When an Apple device connects to a wifi network, it checks http://www.apple.com/library/test/success.html [apple.com] to see if the network is connected to the Internet. Unfortunately, some bozo deleted that file...
I keep trying to use Facebook. (Score:5, Insightful)
I've come to the conclusion that social networking is screwed up because the people who use it most are the people who are least invested in reality.
Every time I try to use Facebook, I get driven away by the behavior of its users. Not the Instagram dinner plate updates, or the personal drama, because I've already filtered out those people.
It's the sensitivity. People take anything seriously. I posted an article showing that divorce really screws up kids. I got back a half-dozen replies, all from people who'd had divorces, defending their own decisions. When I said that it wasn't personal, they said they still felt attacked.
There were other instances of similar behavior too. People hover around Facebook, looking for some reason to cause a scene. Why was this, I wondered.
It seems to me that if you have found something worth doing in life, you're mostly doing it. That doesn't mean your job. If your job sucks, you've probably got a project on the side. You're not going to devote your time to screwing around, which is what most people on Facebook do.
This means that social networking including Facebook selects out the people who have any direction in life, and leaves the resentful, bored, unemployed, disabled, upset, insane, teenage, etc. and concentrates them in large numbers. This is why so much of the response is crazy.
I should amend the post title. I used to keep trying to use Facebook (and MySpace, Digg, Reddit, Friendster, Pinterest, etc.). But now, I don't. These aren't places where healthy people hang out.
Re: (Score:2)
Re: (Score:1)
Really, the only two-way stuff I use is:
Slashdot, because of the good moderation system and good supply of topics that I want to see other people's comments about as much as the topic itself
and 4chan (yes, seriously) because it's sort of a zero-point energy of random discussion with its default anonymity and constantly expiring threads (it's too much hardcore internet trolling and memes for the average person though) But stay away from /b/, nothing interesting happens there anymore.
I avoid the twits and
Re: (Score:2)
Unhappiness and dysgenics (Score:2)
I've noticed this as well. People tend to try to "justify" their lives using lifestyle and/or perceived success. For example, a recent survey of Facebook fri
Re: (Score:2)
Every time I try to use Facebook, I get driven away by the behavior of its users. Not the Instagram dinner plate updates, or the personal drama, because I've already filtered out those people.
It's the sensitivity. People take anything seriously. I posted an article showing that divorce really screws up kids. I got back a half-dozen replies, all from people who'd had divorces, defending their own decisions. When I said that it wasn't personal, they said they still felt attacked.
You realize that the people "on Facebook" in this regard are your friends? You post an article, it's your friends who comment on it. What you're complaining about isn't Facebook's userbase in general, but that subset of it that you consider your friends. For what it's worth, I've had extended political and religious (basically the two most flamebait-y topics possible) discussions on Facebook where most people remained civil and presented reasoned arguments (and the few who didn't were just ignored). That's
Story Subject Fail (Score:5, Informative)
Facebook did not "Break major websites". Instead Facebook users who were logged in to Facebook (and hence working under the auspices of Facebook) were screwed over when they went to third party sites. Sheesh .. even TFS explains that.
Are we now starting to refer to the Internet as teh Facebook???
Re: (Score:2)
It broke the expected functionality of third-party websites. But I agree that Internet is not Facebook. At most, you might be able to claim Facebook broke a chunk of the WWW, but certainly not the Internet as only websites were affected. It's like saying a minor design flaw in a part used by many different car manufacturers completely disrupted our entire transportation infrastructure.
Re: (Score:2)
You seem to be under the impression that it was people visiting sites from links on Facebook that had an issue. If you visited any of the sites, directly, while logged into Facebook you were affected.
Re: (Score:2)
> If you visited any of the sites, directly, while logged into
> Facebook you were affected.
And therefor it affected only Facebook users. Neither the Web nor the Net was broken. Just Facebook.
Re: (Score:3)
I think you've misunderstood. By "logged into Facebook", they don't mean they were actually looking at Facebook at the time. It means they had previously logged into Facebook at some point and their browser has a cookie saved which authenticates them to Facebook.
These people were surfing the web normally. They weren't on Facebook. They got to a site that used Facebook for authentication, and th
Re: (Score:2)
Facebook did not "Break major websites".
This.
Facebook broke Facebook, and some third party sites were affected.
Re: (Score:2)
> Are we now starting to refer to the Internet as teh
> Facebook???
Well, you're already confounding the Web and the Net.
If it was anyone else... (Score:2)
I'd be of the mind that it wasn't a bug, but intentional. But FB? They don't really need the page views....do they? Stock has taken a bit of a dip again since the graph thing came to light...though still high enough that I'm sitting pretty (bought when it was around 19.50 or so).
Annoying! (Score:1)
Too big to fail (Score:1)
Obviously Facebook is too big to fail, so every time they bork the internet we should give them a billion dollars.
Re: (Score:2)
No internet company should be too big to fail. .... But we give them billions anyway. Google in advertising, Facebook as "like"people, Microsoft for your desktop OS. Apple because it is shiny.
clear skies fuck you up (Score:2)
I never use another site to log into a different site. Sure, Facebook is big today, but this is the internet, this is technology. Myspace? Geocities?
What do you do when FB for whatever reason, suddenly stops? All those sites you used to use facebook to log in, you can't get in. You think FB is going to care when their stock is going for pennies?
My suggestion, don't use other sites to handle your log in for you.
My other suggestion: FB is a troll, quit feeding it.
Re: (Score:2)
I participate in comment discussion on the Gawker blogs - Lifehacker, particularly. They took away their own login system after they screwed it up so badly they gave away everyone's password. The community there is nice, but the site owners are stupid. I say, please let them use Facebook. When Facebook stops? They'll give me a way to transition to whatever they choose next.
Of course, if I have a choice, I don't log in with Facebook.
But I believe that Facebook Connect provides enough demographic info ba
A Javascript problem, really (Score:2)
Javascript has been putting in security restrictions for a while now. You can't open a new window without a user click. Most browsers now block automatic window popups.
Why are we still allowing something as archaic as a Javascript redirect? We already have meta tags and HTTP header redirects. We don't need browser navigation without a click to exist in Javascript.
Sure, you could blame Facebook - they did put out a bad script, but the fact that this is even possible is really on the browser makers.
Ran into this. Only happened if I was logged in (Score:2)
I was getting this yesterday when reading an article on Mashible. I noticed that it stopped doing it by logging out of Facebook. Probably something I should be doing anyway to prevent them from tracking me all over the place
And . . . (Score:2)
. . . nothing of value was lost.
Facebook is a fun distraction but protect yourself (Score:2)
"Quickly Resolved"...? (Score:2)
I noticed this several times across a span of 9 hours, from first notice to last notice. I would hardly call that "quick".