Forgot your password?
typodupeerror
Bug Facebook The Internet Technology

Facebook Breaks Major Websites With Redirection Bug 179

Posted by Soulskill
from the now-we're-tripping-on-virtual-power-cords dept.
johnsnails writes "Some of the biggest news sites in the world disappeared yesterday when Facebook took over the internet with a redirection bug. Visitors to sites such as The Washington Post, BuzzFeed, the Gawker network, NBC News and News.com.au were immediately transferred to a Facebook error page upon loading their intended site. It was fixed quickly, and Facebook provided this statement: 'For a short period of time, there was a bug that redirected people logging in with Facebook from third party sites to Facebook.com. The issue was quickly resolved, and Login with Facebook is now working as usual.'"
This discussion has been archived. No new comments can be posted.

Facebook Breaks Major Websites With Redirection Bug

Comments Filter:
  • so... (Score:5, Insightful)

    by liamevo (1358257) on Friday February 08, 2013 @09:52AM (#42831337)

    can we please stop relying on third parties for things *you* should be providing to your users.

    • Re:so... (Score:5, Funny)

      by Seumas (6865) on Friday February 08, 2013 @09:57AM (#42831385)

      Hey, just because all of my forum stuff comes from Disqus, my word of mouth spreading comes from twitter, facebook, and google plus integrations, and my content comes from automatic AP feeds doesn't mean I don't provide anything myself! I . . . . uh . . . .

    • by eldavojohn (898314) * <eldavojohn@nOspAM.gmail.com> on Friday February 08, 2013 @10:08AM (#42831509) Journal

      can we please stop relying on third parties for things *you* should be providing to your users.

      Clearly it has benefits and disadvantages. One of the disadvantages is displayed in this story. I could name a decent amount of benefits though: 1) you don't have to register again and again every time you want to use some site. 2) you don't suffer from password fatigue. 3) you don't have to worry about no talent ass clowns storing your username and password in plaintext (although you do have to worry about facebook being no talent ass clowns about that). 4) if I just want to stand up a quick little site that is nothing more than CRUD associated to users then all that login stuff can be offloaded to facebook or whomever. 5) from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).

      Are you opposed to openID too [wikipedia.org]?

      • by Rockoon (1252108) on Friday February 08, 2013 @10:25AM (#42831691)
        Indeed.

        I think many people are in support of third party authentication semantics for non-critical sites..

        Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)
        • by whargoul (932206) on Friday February 08, 2013 @10:59AM (#42832051) Homepage

          ...what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

          I use Twitter when the option is available only because they don't collect data on me like facebook does. If it's facebook only, I usually won't sign up.

        • by DragonWriter (970822) on Friday February 08, 2013 @11:40AM (#42832601)

          Even though ultimately facebook is probably a bad choice for it, what else is so ubiquitous as to be a reasonable option that also doesnt suffer the same essential problems (certainly not a google account?)

          OpenID. Sure, a provider having a similar error could stop users of that provider from logging on to your site, but its not a single point of failure for the entire site, its a single point of failure for the user and all the sites they use it to log into.

      • by DogDude (805747) on Friday February 08, 2013 @10:33AM (#42831759) Homepage
        from a large corporation standpoint, you can now get additional social data about your users from the facebook api (I know, this isn't necessarily an advantage for the end user and is best viewed as double edged).

        For an individual, there's only one edge: a sharp one. Who in their right mind would want every company/web site to know all of the intimate details of what they're doing on every other web site? Isn't it obvious to people that by signing in with a Facebook ID to web sites, that not only does Facebook track everything done, but then sells that information to everybody else? That's how those extremely complete personal profiles are created about individuals in corporate databases that are then swapped and sold indefinitely. What benefit could this possibly have for individuals?
        • by Sockatume (732728) on Friday February 08, 2013 @11:11AM (#42832219)

          If Facebook sold that information you'd have a point, but as it's not disclosed in any of their privacy literature that'd be a monstrous and legally actionable breach of their information protection obligations.

          • by DogDude (805747) on Friday February 08, 2013 @11:51AM (#42832753) Homepage
            Hey kid, I've got a bridge to sell ya'....
          • by theskipper (461997) on Friday February 08, 2013 @02:48PM (#42835355)

            Facebook is an advertising company. Their product is highly granular, per-user demographics and profiles. That product is based on information gathered from tracking their users' posts, relationships, browsing history and basically any info they can get their hands on (raw materials). The product is then sold to their customers; anyone who does a targeted media buy on their site, as well as advertisers and marketing firms.

            Without the raw materials, Facebook would not be a for-profit venture and their stock would be worthless. You can argue semantics that they're not blatantly selling the info. But the info is getting sold in some fashion, it's their business plan and clear as day in the original prospectus filed with the SEC.

        • by chrismcb (983081) on Sunday February 10, 2013 @01:42AM (#42848339) Homepage

          Who in their right mind would want every company/web site to know all of the intimate details of what they're doing on every other web site?

          Most people would not want that.
          But most people don't care. First of all most people don't even know, or consider what is actually happened. Secondly it is convenient for most people. And thats pretty much why it will continue.

      • by Tony Isaac (1301187) on Saturday February 09, 2013 @01:44AM (#42841315) Homepage

        The problem yesterday had nothing to do with sites offloading authentication to Facebook. It was simply sites that have a little Facebook ad--like "what's popular on Facebook." I experienced this yesterday, just looking for a store location--there was a Facebook ad on the page that instantly redirected to Facebook.

    • Re:so... (Score:5, Insightful)

      by orthancstone (665890) on Friday February 08, 2013 @10:11AM (#42831533)
      On one hand, I'd prefer to see authentication in the hands of someone I consider more reliable (like Google) than someone programmer of questionable ability at (Insert Random Dying Newspaper here).

      On the other hand, a hearty "HA HA!" does feel appropriate here. They do get what they are asking for by being so deeply tied to a third party.
    • by deains (1726012) on Friday February 08, 2013 @10:34AM (#42831763)

      Let's just get in touch every CDN in existence and get them to shut down everything they're doing then. Clearly centralising providers of commonly-used resources is an abysmally terrible idea.
       
      (Sarcasm, just in case you can't tell)

    • by ElmoGonzo (627753) on Friday February 08, 2013 @11:11AM (#42832223)
      I've less quarrel with the concept of using a 3rd party to verify identity (that's what a driver's license does when we aren't on line) than with the notion of using the services of a "free" site that gets its revenue by tracking its users and selling that information to advertisers and the like. And do I want to stay logged in to something like Facebook when it is exposing my information (not all of which is bogus fiction) to anyone who has access to their API? And yes, Google is doing much of the same as are numerous others.
    • by Dragonslicer (991472) on Friday February 08, 2013 @12:50PM (#42833665)
      Exactly. After all, nobody that's ever written their own authentication code has ever screwed it up.
    • by Jane Q. Public (1010737) on Friday February 08, 2013 @02:52PM (#42835395)

      "... can we please stop relying on third parties for things *you* should be providing to your users."

      Actually, this probably didn't come from anything that is "provided" to customers.

      Typically, when you link your site to Facebook (especially if you're not careful), you include a piece of JavaScript that Facebook supplies. Essentially, it's user-tracking, which is NOT a service "provided" to site visitors, unless you happen to like that sort of thing.

      Sadly, many websites actually pull this JavaScript in realtime from Facebook itself, rather than hard-coding the JavaScript into their page.

      So at any time, all Facebook has to do is change this JavaScript in a single location at their own web service, to affect all users of that JavaScript, everywhere. (Except for those few smart folks to hard-code it in the page.)

      • by icebraining (1313345) on Friday February 08, 2013 @09:33PM (#42839851) Homepage

        Facebook JS files are not open source; by "hardcoding them", you're actually committing copyright infringement.

        • by Jane Q. Public (1010737) on Saturday February 09, 2013 @02:06AM (#42841405)

          "Facebook JS files are not open source; by "hardcoding them", you're actually committing copyright infringement."

          So? It's still the better way to go about it. The host company (like Google or Facebook) will never know. And if you don't? Look at the poor schmucks in TFA.

          Of course, if you do that it has to be updated periodically; the host company can't update it on your site, so you have to.

          But I am most definitely not in favor of making my websites hostage to other web services for their basic operation. That's just asking for trouble. As we can clearly see here.

  • Congrats (Score:5, Insightful)

    by Anonymous Coward on Friday February 08, 2013 @09:53AM (#42831347)

    If you let others insert scripts into your pages they can steal your visitors.

    Maybe it'll make sites think about who they script src from.

  • by Anonymous Coward on Friday February 08, 2013 @09:55AM (#42831365)

    ...people wonder i some of us block external crap on sites, not just ads.

  • by Seumas (6865) on Friday February 08, 2013 @09:55AM (#42831367)

    Serves every one of these websites for being Facebook lemmings.

  • by Anonymous Coward on Friday February 08, 2013 @09:56AM (#42831375)

    The fanboy adblock lists include another list you can add which also blocks out all social media badges etc.

  • by fuzzyfuzzyfungus (1223518) on Friday February 08, 2013 @09:57AM (#42831391) Journal

    Not that it will; but let that be a lesson to you.

  • by camperdave (969942) on Friday February 08, 2013 @09:57AM (#42831397) Journal
    How is that possible? If I'm going to a site, I type in the URL into the address bar, or I click on a favorite, or click on a link returned by Google, or another search engine. The URL gets sent to a DNS server, which returns the IP address of the site, and then my browser starts making http requests directly from the site. Facebook is never involved. Unless Facebook has somehow poisoned the root DNS servers, I don't see how this is possible.
    • Re:Um... How? (Score:4, Interesting)

      by belthize (990217) on Friday February 08, 2013 @10:02AM (#42831437)

      I suspect horrible article is the main culprit. At a guess I suspect this is nothing more that Facebook's authentication service failing.

      Client is directed to Facebook for authentication, mechanism fails, Facebook tosses up error page. The implication that Facebook did anything wrong other than having buggy authentication is likely way of base.

      Full disclosure, don't have a facebook page, never visited a facebook page, have zero interest in facebook.

      • Re:Um... How? (Score:2, Insightful)

        by Anonymous Coward on Friday February 08, 2013 @10:11AM (#42831539)

        The key is "client is directed to Facebook". Sites include 3rd party scripts all the time, blindly executing whatever gets sent back. If that includes a simple assignment to window.location, there's your redirect.

    • Re:Um... How? (Score:4, Informative)

      by Culture20 (968837) on Friday February 08, 2013 @10:06AM (#42831479)
      These sites are including javascript from facebook. Check your noscript/requestpolicy lists on those pages and you'll be surprised how many external sites those pages include javascript and images from. This was bound to happen (and worse things have probably happened in secret).
      • Re:Um... How? (Score:4, Interesting)

        by Anonymous Coward on Friday February 08, 2013 @10:14AM (#42831579)

        The Steam browser is a nice example of facebook javascript gone wrong. Every page with a "like" script on it redirects to some facebook address as soon as the page finishes loading. The end result is that you see what you wanted to see, but the URL bar is always some sort of lenghty facebook redirect because Steam is trying to load it somehow but fails and leaves you on the page you wanted to visit anyway.

    • Re:Um... How? (Score:4, Insightful)

      by Anonymous Coward on Friday February 08, 2013 @10:06AM (#42831487)

      In short, "Web bugs", short bits of code that are included inline from another provider. Basically these sites had on their front page a "get shit from facebook" or some such badge displayed, that badge is not created by the site owner but is sourced inline from facebook, now if the thing they pull from facebook is broken and facebook presents a redirect to your browser in place of the web bug (badge, whatever) then your browser dutifully redirects.

      If facebook were malicious they could commandeer half of the web.

    • by omnichad (1198475) on Friday February 08, 2013 @10:47AM (#42831927) Homepage

      I successfully made it to Papa John's web site to order pizza last night. When I got to the last page of checkout, I immediately got redirected to Facebook.

      Apparently they're including Facebook Javascript code on all their pages, and I happened to be in the middle of ordering a pizza when the bug hit.

      Why Javascript is allowed to redirect a web site these days without user intervention is beyond me. Most Javascript methods that open windows or navigate you require being triggered by a click event or other human intervention.

  • facebook (Score:5, Funny)

    by hackula (2596247) on Friday February 08, 2013 @09:57AM (#42831399)
    The first successful test. Soon every site will redirect to facebook, then... the world!
  • by Anonymous Coward on Friday February 08, 2013 @10:01AM (#42831423)

    I was logged into Facebook when I got this redirect.

    However, the website I got it from is one I have never placed a Facebook "like" on or written a comment on with my profile.

    Does "a bug that redirected people logging in with Facebook from third party sites" mean that the site has my Facebook details?

    The URL was this:

    https://www.facebook.com/dialog/permissions.request?client_id=__15digitno__&response_type=token%2Csigned_request%2Ccode&display=none&domain=www.website.com&origin=1&redirect_uri=http%3A%2F%2Fstatic.ak.facebook.com%2Fconnect%2Fxd_arbiter.php%3Fversion%3D18%23cb%3Df28691eaa8%26origin%3Dhttp%253A%252F%252Fwww.website.com%252Ff1c830d484%26domain%3Dwww.website.com%26relation%3Dparent&sdk=joey

  • by Anonymous Coward on Friday February 08, 2013 @10:02AM (#42831435)

    Recently we have seen very widespread "single point of failure" issues. Notably with Facebook and Apple who are both so pervasive in society. These firms are constantly doing major and complicated software updates and those updates are propagated either invisibly in the background or introduced through "voluntary" software updates where you don't get major new features unless you do the update and you have to simply live with whatever bugs or feature cripples come along with it.

    The fact so many people are dependent on these very small number of very human folks is a large "single point of failure" risk for society and its individual, business, and government segments.

    JJ

  • by hessian (467078) on Friday February 08, 2013 @10:06AM (#42831477) Homepage Journal

    I've come to the conclusion that social networking is screwed up because the people who use it most are the people who are least invested in reality.

    Every time I try to use Facebook, I get driven away by the behavior of its users. Not the Instagram dinner plate updates, or the personal drama, because I've already filtered out those people.

    It's the sensitivity. People take anything seriously. I posted an article showing that divorce really screws up kids. I got back a half-dozen replies, all from people who'd had divorces, defending their own decisions. When I said that it wasn't personal, they said they still felt attacked.

    There were other instances of similar behavior too. People hover around Facebook, looking for some reason to cause a scene. Why was this, I wondered.

    It seems to me that if you have found something worth doing in life, you're mostly doing it. That doesn't mean your job. If your job sucks, you've probably got a project on the side. You're not going to devote your time to screwing around, which is what most people on Facebook do.

    This means that social networking including Facebook selects out the people who have any direction in life, and leaves the resentful, bored, unemployed, disabled, upset, insane, teenage, etc. and concentrates them in large numbers. This is why so much of the response is crazy.

    I should amend the post title. I used to keep trying to use Facebook (and MySpace, Digg, Reddit, Friendster, Pinterest, etc.). But now, I don't. These aren't places where healthy people hang out.

    • by hodet (620484) on Friday February 08, 2013 @10:18AM (#42831611)
      Facebook free for three months now. I just came to the realization that I was not interacting with all the people I care about in my life on Facebook. I was interacting with them in real life. The only interaction was with "fringe" friends or people you felt obligated to friend because they are "friends of friends" you met somewhere. "Hey great, Joe's wife took a picture of her Big Mac and fries and is enjoying a delicious shake." Ya, I'm outta here.
    • by Megane (129182) on Friday February 08, 2013 @10:20AM (#42831625) Homepage

      Really, the only two-way stuff I use is:

      Slashdot, because of the good moderation system and good supply of topics that I want to see other people's comments about as much as the topic itself

      and 4chan (yes, seriously) because it's sort of a zero-point energy of random discussion with its default anonymity and constantly expiring threads (it's too much hardcore internet trolling and memes for the average person though) But stay away from /b/, nothing interesting happens there anymore.

      I avoid the twits and bookfaces as much as possible. At least 4chan's social cancer is constantly flushed away, unlike twitter and facebook where it stays around and festers.

    • by rmdingler (1955220) on Friday February 08, 2013 @10:27AM (#42831715)
      Well done. I would add unhappy to your list of qualities that make up the bulk of social site users. Many of the people I know who are regular users remain in contact with old flames even though they are now like Al Bundy. Here's to hoping these extra opportunities to procreate don't result in the psychologically healthy being out-bred by this genotypical subset. Oh wait...
      • by hessian (467078) on Friday February 08, 2013 @03:03PM (#42835545) Homepage Journal

        I would add unhappy to your list of qualities that make up the bulk of social site users. Many of the people I know who are regular users remain in contact with old flames even though they are now like Al Bundy. Here's to hoping these extra opportunities to procreate don't result in the psychologically healthy being out-bred by this genotypical subset.

        I've noticed this as well. People tend to try to "justify" their lives using lifestyle and/or perceived success. For example, a recent survey of Facebook friends found that almost 3/4 of the profile pictures contained either (a) alcohol or (b) children. It's like saying "See what I have, I'm doing quite well."

        I don't think that sort of pre-emptive bragging happens when people are actually happy. Instead, as you've observed, there are signs of misery. Lots of scheming and pseudo-romance. It's creepy.

        The dysgenic effects will undoubtedly be felt by future generations. It's as if we're breeding humanity into obese deskbound drama queens that know how to look successful on Facebook, but not succeed at real-life things like happiness and fidelity!

    • by LordLucless (582312) on Friday February 08, 2013 @06:48PM (#42838345)

      Every time I try to use Facebook, I get driven away by the behavior of its users. Not the Instagram dinner plate updates, or the personal drama, because I've already filtered out those people.

      It's the sensitivity. People take anything seriously. I posted an article showing that divorce really screws up kids. I got back a half-dozen replies, all from people who'd had divorces, defending their own decisions. When I said that it wasn't personal, they said they still felt attacked.

      You realize that the people "on Facebook" in this regard are your friends? You post an article, it's your friends who comment on it. What you're complaining about isn't Facebook's userbase in general, but that subset of it that you consider your friends. For what it's worth, I've had extended political and religious (basically the two most flamebait-y topics possible) discussions on Facebook where most people remained civil and presented reasoned arguments (and the few who didn't were just ignored). That's because I've surrounded myself with people who appreciate civility and reason as much as I do.

      Facebook's an enabler, with the usual GIGO provision. You put garbage friends in, you get garbage discussion out.

  • Story Subject Fail (Score:5, Informative)

    by OzPeter (195038) on Friday February 08, 2013 @10:06AM (#42831485)

    Facebook did not "Break major websites". Instead Facebook users who were logged in to Facebook (and hence working under the auspices of Facebook) were screwed over when they went to third party sites. Sheesh .. even TFS explains that.

    Are we now starting to refer to the Internet as teh Facebook???

  • by dywolf (2673597) on Friday February 08, 2013 @10:08AM (#42831503)

    I'd be of the mind that it wasn't a bug, but intentional. But FB? They don't really need the page views....do they? Stock has taken a bit of a dip again since the graph thing came to light...though still high enough that I'm sitting pretty (bought when it was around 19.50 or so).

  • by SirAudioMan (2836381) on Friday February 08, 2013 @10:13AM (#42831563)
    At first I thought I somehow angered facebook and caused my session to get corrupted! Each time I visited a few different news sites after a few seconds It would be redirected to the error page. I ended up having to clear my cache to prevent the annoying redirect. I find facebook is good as a time waster but I find it scary how many sites have access to my logins and can track and control content.
  • by Anonymous Coward on Friday February 08, 2013 @10:35AM (#42831771)

    Obviously Facebook is too big to fail, so every time they bork the internet we should give them a billion dollars.

  • by Nyder (754090) on Friday February 08, 2013 @10:46AM (#42831901) Journal

    I never use another site to log into a different site. Sure, Facebook is big today, but this is the internet, this is technology. Myspace? Geocities?

    What do you do when FB for whatever reason, suddenly stops? All those sites you used to use facebook to log in, you can't get in. You think FB is going to care when their stock is going for pennies?

    My suggestion, don't use other sites to handle your log in for you.

    My other suggestion: FB is a troll, quit feeding it.

    • by omnichad (1198475) on Friday February 08, 2013 @11:12AM (#42832241) Homepage

      I participate in comment discussion on the Gawker blogs - Lifehacker, particularly. They took away their own login system after they screwed it up so badly they gave away everyone's password. The community there is nice, but the site owners are stupid. I say, please let them use Facebook. When Facebook stops? They'll give me a way to transition to whatever they choose next.

      Of course, if I have a choice, I don't log in with Facebook.

      But I believe that Facebook Connect provides enough demographic info back to the site (your email address) that your profile can be rejoined with a new authentication system fairly easily - even if Facebook just disappears at once without any transition period.

  • by omnichad (1198475) on Friday February 08, 2013 @11:06AM (#42832161) Homepage

    Javascript has been putting in security restrictions for a while now. You can't open a new window without a user click. Most browsers now block automatic window popups.

    Why are we still allowing something as archaic as a Javascript redirect? We already have meta tags and HTTP header redirects. We don't need browser navigation without a click to exist in Javascript.

    Sure, you could blame Facebook - they did put out a bad script, but the fact that this is even possible is really on the browser makers.

  • I was getting this yesterday when reading an article on Mashible. I noticed that it stopped doing it by logging out of Facebook. Probably something I should be doing anyway to prevent them from tracking me all over the place

  • by hduff (570443) <hoytduff.gmail@com> on Friday February 08, 2013 @12:32PM (#42833363) Homepage Journal

    . . . nothing of value was lost.

  • Protecting yourself against weird things Facebook does is actually fairly simple. I sandbox FB in it's own browser. It's all I use Firefox for, that and the occasional browser compatibility test, but I reset cookies/cache/etc before and after. Combine that with a fake name and you're largely safe to post whatever you want. Won't fool, like, law enforcement or whatever if they look specifically at you, but it will confuse whatever automated ad/cross site dossier these companies are compiling on you. I tie it to the dumpster gmail address I use when I know I'm going to get spammed (drop in your biz card, win a free happy hour!) and bam, I don't even think I've ever touched the privacy settings menu.
  • by InvisibleClergy (1430277) on Friday February 08, 2013 @01:17PM (#42834009)

    I noticed this several times across a span of 9 hours, from first notice to last notice. I would hardly call that "quick".

Happiness is a positive cash flow.

Working...