On Thursday of this past week a large number of websites had a very unpleasant experience. As a user went to popular sites like NBC, CNN, Huffington Post and others, they were instantly redirected to a Facebook error page.
If you click the Okay button, you were then taken to a blank page. In short the error resembled some sort of page hijacking hack.
The problem was quickly isolated to Facebook Connect, their popular Single Sign-On platform and Facebook jumped into action, fixing the problem. But now, as it turns out, Facebook might face a more serious problem.
I first realized this problem on Thursday night with a client's site. This was before any articles were written or tweets had even gone out. Even if the articles were out, it wouldn't have been much help. Why? Well this client doesn't use Facebook Connect. The only Facebook code loading on the pages is the Facebook Like button. As soon as I removed that code everything went back to normal.
So now you maybe saying that the problem was related to Connect and not Like, so why did this site have an issue? Well apparently Facebook uses Connect in their like button. An article in Salon makes that exact same connection:
Not so fast! We should stop and think about what really happened. By demonstrating a direct connection between our Facebook logins and the Facebook Like buttons on non-Facebook pages, Facebook inadvertently advertised exactly how much it potentially knows about all our Web browsing habits.
Now there is something really sneaky happening here. When you use Connect on another site, you have to grant that site explicit permission through Facebook to access details of your account. Since the Like button is a Facebook app, you don't have to grant these permissions; Facebook just goes ahead and does it for you. After all, it's Facebook and one of their features. But now Facebook also knows what site and pages you are on, simply because that page has something as simple as a Facebook Like button on it.
This also opens up another serious issue. Given how many sites actually utilize Facebook Like, law enforcement may now have a new way to look into the browsing history of suspects. After all, you don't have to take any action for Facebook to track you. Simply have your browser logged into Facebook and visit a page with the Like button and Facebook can now have a record of where you been.
Serious issues of privacy have been raised by this outage and Facebook really needs to come clean about it. There's already a trust issue with Facebook given their past of tracking users. Until there is more transparency out of Facebook, the only protection you have is to get rid of the Like button on your sites, or if you are surfing the web, make sure you are logged out of Facebook.
(Cross posted from HollyIT)