• United States




Facebook’s redirect error foretells the future of hacking

Feb 12, 20133 mins
Application IntegrationData and Information SecurityFacebook

When so many websites link to so many others, hackers can do a lot more damage than sending users to error pages

Last week Facebook suffered an “error” that had an astounding ripple effect, as users of thousands of popular websites were inadvertently redirected to a Facebook error page. It was shocking to learn that Facebook Connect could disrupt every site it linked to — but even more troubling was the glimpse it gave us of future hacker attacks.

In security circles, the underlying issue is termed “transitive trust.” The average popular website links to all sorts of sites and services, with the typical home page featuring more than a dozen third-party links. Each of those links can be used by hackers for malicious intent. Your website or service is only as secure as its weakest link — literally.

[ Also on InfoWorld: Facebook error that hijacks thousands of websites isn’t just an “inconvenience”| Learn how to secure your systems with the Web Browser Deep Dive PDF special report and Security Central newsletter, both from InfoWorld. ]

Transitive-trust hacking is nothing new. It occurs every time a banner ad running on an innocent website ends up linking to a malicious Web creation. It happens every time a hacker finds out how to hack a common website management control or widget. My favorite example was when a popular cartoon syndicate was hacked, and all the online newspapers linking to everyone’s favorite cartoons got malware pushed to them. In all the cases, the “innocent” websites were compromised because they assumed the integrity of another site.

The problem of transitive-trust hacking can only grow. More and more, websites and services are becoming an aggregated, symbiotic community built from a large number parts, much like the Portuguese Man’o War jellyfish that populate the waters near my Florida home.

This level of interdependency does not bode well for security. InfoWorld’s own Robert Metcalfe, the inventor of Ethernet and one of my all-time favorite writers, encapsulated the problem with Metcalfe’s Law: The value of a telecommunications network is proportional to the square of the number of users connected to the system. By the same token, as site is connected to site, risk increases exponentially.

The Facebook error that slammed thousands of websites for an hour could have just as easily been a malicious hacking redirection. There’s nothing in Facebook’s publicly known security posture that makes me think the company has a stronger security defense than any other company I work with. The world’s biggest banks, armed services, and secret government agencies have been hacked multiple times — why would Facebook, the corporation, be any different? And of course, we know that their main services have been hacked many times in the past and new exploits that must be patched surface on a regular basis.

What can you do? At the very least make sure you, yourself, and your team colleagues, understand the concept of transitive trust and its implications. Website leaders and designers need to understand the issues. I can guarantee that dark implications of the Facebook error are rippling thousands of conference rooms this morning. You can thank Facebook for giving us all a free lesson.

This story, “Facebook’s redirect error foretells the future of hacking,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author