Facebook Developer Site Mishap Explained
August 16, 2013

Facebook Explains Vexing Developer Site Outages

Michael Harper for redOrbit.com - Your Universe Online

Many Facebook developers had trouble signing into their accounts on Tuesday, and some even had their apps permanently disabled. Yesterday morning, Facebook responded saying the automated system they use to detect malicious apps began targeting legitimate apps as well. The social behemoth then shut down the system to fix the malicious app sniffing algorithm, a process which they say took longer than expected.

Though access to the developer center has been restored, this story highlights not only the constant barrage of attacks hackers are directing at major sites, but also the deleterious effects automated systems can have when they go rogue due to poor management or code.

In a Developer Blog post, Eugene Zarakhovsky explained the error without naming any of the malicious apps in question. Facebook uses some automatic systems to seek and destroy any apps which exhibit what they call “malicious patterns.” The network says they’re under constant attack and must remain diligent to keep the site running for their more than one billion users. Under normal operation, the switch is flipped and the system finds and disables the malicious apps. On Tuesday however, Facebook broadened the parameters used by the system to hunt for malicious apps.

“On August 13th, we undertook such a procedure. We started with a broad pattern that correctly matched many thousands of malicious apps but, unfortunately, also matched many of your high quality apps,” writes Zarakhovsky in the Developer Blog.

“When we detected this error, we immediately stopped the process and began work to restore access. The process took longer than expected because of the number of apps affected and bugs related to the restoration of app metadata.”

With service restored and the malicious apps in question presumably removed, Facebook said they’ll improve the system to ensure this kind of undue disabling of apps doesn’t happen again.

First, they say they’ll create “better tools” to not only find the dirty apps, but also confirm that the apps are harmful before disabling them. There’s also the issue of the extended downtime when they halted the malicious app hunting system. Facebook says they’ll look into this as well, fixing the metadata bugs and other glitches which affected the apps.

“We understand that incidents like these are disruptive to your businesses, and we sincerely apologize for the inconvenience,” wrote Zarakhovsky in apology. "Our team is invested in learning from these incidents and making sure Facebook Platform stability continues to improve."

Zarakhovsky does stress, however, Facebook must remain diligent in seeking out malicious apps. While the automated systems set in place normally do a good job in helping them seek out malicious apps, they clearly aren’t foolproof. And while the social network can improve on them, there's no such thing as a perfect system.

Other large sites - especially the websites for national news media - are often targeted by hackers, either to inflict harm or to broadcast their own message. The Syrian Electronic Army (SEA), for instance, has been notorious in recent months for hijacking websites and Twitter accounts. Websites and Twitter accounts for CNN and the Washington Post were hacked by the SEA just yesterday, redirecting visitors back to the SEA’s website and sending false tweets. According to sources, the SEA was able to infiltrate these websites through a third-party link recommendation service.