Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Connect was down (facebook.com)
113 points by arrel on Feb 8, 2013 | hide | past | web | favorite | 54 comments

Not only is it down, but it's redirecting everyone who visits a site with FB Connect on it to this error page. For example: http://www.economist.com

I just got bitten by this. I was visiting a news site and opened ~30 tabs to things I wanted to read. And then those tabs just showed me an error message. Frustrating :(

Edit: Might be worth noting that logging out of FB "fixed" this for me. (But I had to go back and re-open all those tabs.)

Oooh that's bad. I would be fuming mad if that was happening on my site.

The site


works fine for me, perhaps because I have never used Facebook to log into it.

AFTER EDIT: Replying to the kind reply to this comment, I am ALWAYS logged in to Facebook (with AdBlock Plus and Social Fixer and Ghostery activated, using Chrome), and I was surfing all over the Web completely normally while sites were reported to be redirecting. So maybe something different about my set-up protected me from the problems many other users observed today.

With Ghostery running, it should not even load anything from a Facebook domain. The (buggy) code to redirect people to facebook.com would no doubt be served fromFacebook themselves. Stopping that code from being served to your browser means they can't redirect.

I absolutely love Ghostery and other related tools.

It's not whether you've ever used Facebook to log into The Economist's site, but whether you were logged into Facebook at all. If you were, you were redirected.

EDIT: By the timestamp on your comment, the issue appears to have been fixed, anyway.

Yes hehehe. Someone will be fired today. :(

That's not how Facebook does things. Actually if you haven't taken down the site, you'll be warned.

"Move fast and break things" may work for Facebook.com, but I dunno if souring relationships with important partners will be praised.

A perfect case study in why the current practice of "just add a script tag with 'facebook.com/whatever.js' into your page and all your LIKE buttons will work magically!" is an absolutely terrible idea.

It's only a terrible idea if you don't have a kill switch. It's also only a terrible idea if the benefits do not outweigh the costs of something like this happening (and you being unable to respond to it.)

Adding the JS file is simple and up until now has always worked. If it ends up driving tons of traffic back to your site it seems worth it.

'Absolutely terrible' is a just a wee bit hyperbolic. It is an idea that has positives and negatives, but you only notice it when it does this. And how many times has it done this since they've implemented it?

Broken behavior related to this happens quite often actually. I've had sites that were bitten by this or some variant. If you follow the Facebook bug tracker it comes up every now and then (it might be localized to a degree in some cases). They do move fast and I think fix it quickly in most cases. In fact there was something that was broken just last week here on HN but the behavior wasn't something that affected so many sites to this degree.

Yep. We prefer the <iframe> solution over their JavaScript-created versions for this reason.

This particular bug is just as likely either way; the js must be changing window.location, there's no reason to think the iframe wouldn't change window.top.location.

IE and Chrome both have ways of restricting iframes from changing window.top.location, but I wouldn't trust them to work.

    <iframe src="http://example.com" security="restricted"></iframe>

    <iframe src="http://example.com" sandbox></iframe>

Hulu seems to have N-1 redundancy: with Facebook Connect down, I can't even login using my non-facebook Hulu account.

I just removed the FB connect code from Pen.io - Causing automatic redirects for all logged in users. Luckily it was easy to kill for us and won't cause users any issue with logging in.

Our three sites are now free of Like buttons. It would be interesting to see how many disappeared today.

Should we be surprised?

Facebook Connect was deprecated in 2010


As a brand.

from the same article: " Instead, the company is standardizing the interactions between Facebook and third parties via Facebook's new Open Graph protocol and the OAuth 2.0 standard."

They just fixed. I saw the same problem on zendesk (video attached): http://news.ycombinator.com/item?id=5185484

This outage goes to show that a lot of people who have implemented Facebook Connect are doing it wrong. If the only way people can login to your website or application is via Facebook then you deserve every bit of downtime you get (cynical, but true). You should never solely rely third party service at any time, regardless of how big to fail they appear to be. Always allow a user to login more ways than one.

Facebook logins for mobile web pages is also failing for many users (which Facebook considers "Priority: Low"). Facebook has been having serious blocking issues for days.


This might be because of - February 2013 Breaking Changes Now Live https://developers.facebook.com/blog/post/2013/02/06/platfor...

And, they are surely breaking.

This is my guess as well - our app updated and Facebook connect works just fine.

Move Fast and Break Things

Fitocracy had this earlier.

I poked around a bit. When you include Facebook's JS, it calls on a PHP file which (inter alia) returns a <meta> tag with a redirection instruction taking you to the broken page.

As pointed out in the previous post, you should not rely 100% on Facebook as your Auth gateway. You should have an alternative for your users to login in case of something like this happens.

This breaks people who have all kinds of other login options. For my site we had to actually exclude the FB JS from our site to prevent the redirect.

See http://news.ycombinator.com/item?id=5185600. Every page with a FB Like button on it went to that FB error page.

Does this only affect those logged in to Facebook? I quit Facebook for a year so I'm not sure whether it is fixed or whether I was just not bothered by it at all

Yes, that seems to be the case. Also, it has just apparently been fixed.

I'm surprised the redirect loop can even happen. Seems malicious. Another example: http://www.usatoday.com

Again, building large things on big proprietary services is a bad idea unless you understand what you're getting into.

I can almost guarantee that the folks that implemented FB connect didn't understand that the failure mode could forward all traffic to FB. I have no idea how that could become a rational design decision.

So one day, Mark says to Bill, "Call THAT a monoculture? I got your Central Point of Failure right here!"

Appears to be "fixed" now. Economist.com no longer redirects. FB's own developer pages (https://developers.facebook.com/roadmap/) used to manifest this too, and no longer do.

Seems to be not redirecting anymore, but it definitely was for a while.

It's been fixed. The status page doesn't mention the blip though: http://developers.facebook.com/live_status/

Entertainingly, that page was among those affected.

This pushed us to implement a kill switch for our facebook functionality. Something we'll keep in mind the next time we're integrating with third party services.

Wow - it's asking me to re-auth the developer app. This is a big bug and we've been very badly bitten by it. Not going to make the same mistake again.

Seems fixed now.

A clever way to take over the Internet.

If you're affected by this logging out of Facebook stops the redirect happening.

Tell that to the millions of users who are just going to blame this on the sites that it's happening to. What a clusterfuck.

Hmph. And I was just sitting down to do a iOS Facebook connect tutorial.

Works for me. I just signed into two separate sites with FB Connect.

memories of long nights hacking around facebook bugs... here's to paid services that don't need facebook!

Quick, integrate with clef.io instead!

Or give up closed, centralized systems altogether and take a look at Mozilla's Persona project -- the open web deserves open, federated authentication systems.

(N.B.: I work on Persona, and it does have a centralized fallback for bootstrapping browsers and identities. The difference is that the centralization is temporary, optional, and automatically goes away over time.)

Or https://rublon.com :-) contact me for free API access or vBulletin/phpBB/SMF plugins (mw@rublon.com).

This is ruining my life.

It's still worth it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact