How Facebook Connect took down the Web

Web hijacking wrought by Facebook Connect shows that both sites and users may be ceding too much control to Facebook

From the beginning, Facebook has helped popular websites become even more popular by allowing people to post status updates full of links that have guided their friends to the Web pages they visited. Then last Thursday, the websites that were closest to Facebook started crashing, and the world learned the potential downside to giving Facebook such a central role on the Internet.

The problem arose from the Facebook Connect API, a clever bit of JavaScript that allows website developers to integrate their sites with Facebook. The developers need merely add this library to their main page, then users can easily share the website with their Facebook friends. It's intended to be a virtuous feedback loop that allows users to share, Facebook to gain more status updates, and websites to increase their traffic.

It went wrong when Facebook started mishandling its end of the connection. The API will normally check to see if a user is logged in, then build a box full of information about the user that's seemlessly integrated with the website. For a bit less than an hour last Thursday, the API's background requests for information about the user were redirected to an error page, a result that confused the API and led it to take over the Web page and replace it with a big error message from Facebook. Instead of seeing the news or the weather or whatever their destination would normally display, users saw just a Facebook error.

The small technical glitch highlighted just how powerful the Facebook API can be and just how much control websites cede to Facebook when they include its JavaScript library. The API can rewrite the entire Web page and change any of the page's content without the original website being the wiser. In this case, the API just posted a cry for help as an error message, but it could have been much more malicious.

There has been little talk about how this glitch illustrated just how much data Facebook is gathering about where we browse. Even if you don't click the Like button on the Web page, Facebook learned you were there when the website initialized the Connect API code. It's tracking much of what we do on the Internet.

While this particular mistake is probably an isolated instance that won't cause much trouble, some websites may want to rethink the architecture of their interactions with Facebook. Some sites may want to work a bit harder to isolate Facebook interactions instead of taking the easy solution and opening a big door for Facebook's code to do whatever it wants.

Is the Facebook API too powerful? Twitter has an easier way of adding a status update by using a simple URL like http://www.twitter.com/home?status=Hello+World. This is far from as tightly integrated or as automatic as the Connect API, but it leaves the control with the originating website, reducing the dangers of a glitch taking down the Web by hijacking the browser session. It also serves to protect the privacy of the users. Developers should spend more time examining options like this.

This story, "How Facebook Connect took down the Web," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies