Facebook’s redirect error foretells the future of hacking

Last week Facebook suffered an “error” that had an astounding ripple effect, as users of thousands of popular websites were inadvertently redirected to a Facebook error page. It was shocking to learn that Facebook Connect could disrupt every site it linked to — but even more troubling was the glimpse it gave us of future hacker attacks.

In security circles, the underlying issue is termed “transitive trust.” The average popular website links to all sorts of sites and services, with the typical home page featuring more than a dozen third-party links. Each of those links can be used by hackers for malicious intent. Your website or service is only as secure as its weakest link — literally.

[ Also on InfoWorld: Facebook error that hijacks thousands of websites isn’t just an “inconvenience”| Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Transitive-trust hacking is nothing new. It occurs every time a banner ad running on an innocent website ends up linking to a malicious Web creation. It happens every time a hacker finds out how to hack a common website management control or widget. My favorite example was when a popular cartoon syndicate was hacked, and all the online newspapers linking to everyone’s favorite cartoons got malware pushed to them. In all the cases, the “innocent” websites were compromised because they assumed the integrity of another site.

The problem of transitive-trust hacking can only grow. More and more, websites and services are becoming an aggregated, symbiotic community built from a large number parts, much like the Portuguese Man’o War jellyfish that populate the waters near my Florida home.

This level of interdependency does not bode well for security. InfoWorld’s own Robert Metcalfe, the inventor of Ethernet and one of my all-time favorite writers, encapsulated the problem with Metcalfe’s Law: The value of a telecommunications network is proportional to the square of the number of users connected to the system. By the same token, as site is connected to site, risk increases exponentially.

The Facebook error that slammed thousands of websites for an hour could have just as easily been a malicious hacking redirection. There’s nothing in Facebook’s publicly known security posture that makes me think the company has a stronger security defense than any other company I work with. The world’s biggest banks, armed services, and secret government agencies have been hacked multiple times — why would Facebook, the corporation, be any different? And of course, we know that their main services have been hacked many times in the past and new exploits that must be patched surface on a regular basis.

What can you do? At the very least make sure you, yourself, and your team colleagues, understand the concept of transitive trust and its implications. Website leaders and designers need to understand the issues. I can guarantee that dark implications of the Facebook error are rippling thousands of conference rooms this morning. You can thank Facebook for giving us all a free lesson.

This story, “Facebook’s redirect error foretells the future of hacking,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.