[danpalmer]

Fun story.

At my previous company we had "Sign in with Facebook" – whatever your opinions on it are, it was probably the right thing for the company at that time.

Facebook decided to "audit" us to make sure we were doing sign in right. The tested it incorrectly, told us we were at fault and needed to fix it, and gave us 2 weeks to do so. We scrambled to figure out what the issue was, only to find after they eventually replied to our emails (all they told us up-front was "it doesn't work") that they had tried to use a sign-in only button to sign-up, similar on many websites, not at all for our flow and not something it was possible for us to do. We explained this and they dropped the audit.

2 weeks later, they audited us again, failed us again, and gave us a deadline to fix it. We replied pointing to the previous case and explaining again why it was working. We never heard back.

2 weeks later, they audited us again, failed us again, and gave us a deadline to fix it. We replied asking what the hell was happening (politely). We never heard back.

1 week later "Sign in with Facebook" stopped working with no other warning. We opened a support case, we emailed our ads account manager, we emailed our previous ads account manager as the first was on holiday, and all we got was "we're looking into it, but it looks legit, fix it".

I asked for a call and explained that the current user experience for users was that they would click "Sign in with Facebook" and see an error saying "Facebook is currently not working, please sign in another way", and that the only way we had to resolve this was to email all our Facebook auth'd users a password reset with an explanation that Facebook sign in no longer worked, and to then remove the feature from our site.

"Ah. Ok yeah let me see what I can do". It was working about 2 hours later, and we weren't audited again in the rest of the time I was at the company.

[KIFulgore]

At my last company, we had 12 identical Facebook apps working as service-to-service messaging integrations. They chose to have 12 apps due to data sovereignty reasons, separating implementations in different regions. For each permission we needed, we'd record screencasts of all 12 apps and explain how to verify the system works, then submit for App Review.

Usually about 4 would get approved, and the other 8 would be rejected. All for different reasons. Usually it was something about Facebook Login - which we didn't use as an S2S integration. It was maddening.

We'd make token changes to the rejected reviews, resubmit, then keep resubmitting until they were all approved. On occasion an App would keep going to the same stubborn reviewer and we'd contact our Partner Manager. They're nearly powerless to do anything, since the Safety and Review team is firewalled off from the rest of Meta to prevent outside influence.

Funny nuance: when in development mode, Apps can't receive webhook events for wall posts. Only webhooks for Messenger (DMs) are active. We were adding support to reply to wall posts, but couldn't test or demonstrate the feature because public post webhooks weren't available. "How do we proceed?" "Well, you need to use the fetch API to get posts in batch for Approval, then you can use webhooks." Thing is, our platform wasn't interested in pulling posts in batch. Just routing public posts in real-time via webhooks.

So, we built a completely separate App to pull posts in batch and got it approved. Then used a proxy to slingshot webhooks through that App to our platform, bypassing the under-review Apps altogether. And we got them all approved.

It's a joke that Meta tries to enforce policy at the application level vs. API for enterprise S2S integrations. Workarounds "faking" the experience are always possible.

I advised simplifying things by having a single proxy service distributing messages to different cloud regions based on the customer. Or maybe 3 proxy Apps - dev, US, and Germany, as simple middleware shims. But not 12 Apps. It fell on deaf ears. Since I left, I hear with Instagram support and more granular permissions on Messenger, they're submitting 60+ App Review submissions every quarter. With the resubmissions and petitions it's nearly full-time position.

If I ever took another position working with Meta, it would have to be "retire in 3 years" kind of money.

[jherskovic]

We removed "Sign in with Facebook" from our public learning management system (we provide content to the public) instead of continuing to jump through their insane requests and demands.

[soundnote]

OAuth in general feels like an increasingly bad idea. Log into everything with Google? Oops, one arbitrary account lock from Google and you're beyond fucked.

[jackewiehose]

I agree. And besides that I also think it's an incredibly bad idea to train users, who are technically not very firm, to enter their credentials on some random page that asks for it.

I'm a pro and even I can't tell how this is supposed to be safe. How would you explain the security aspects to someone who can't distinguish between google-search and the browsers address-bar?!

[NonNefarious]

It's bad enough that loads upon loads of sites require people to use their E-mail address as a user ID. What a stupid policy, one that embarrasses many companies that should know better (YES, THIS MEANS APPLE).

When you force people to log in with their E-mail address, what percentage of the public also thinks they need to use their E-mail password? I'm going to guess at least half. Now, if that site is compromised by a hack or disgruntled employee or whatever, people's E-mail accounts are wide open and identity theft galore can ensue.

Not to mention that your E-mail address is on thousands of spammers' lists. Combine that list with lists of common passwords, and you have a shitload of compromised E-mail accounts right there.

Nobody should have tolerated this amateur-hour policy, but here we are.

[stjohnswarts]

This is why you have to have a backup plan for your data and your business when you depend on cloud services. One day there is a very high probability some automated bot of theirs is going to flag you and take you down mercilessly, despite your best efforts. You have to be ready.

[WirelessGigabit]

I agree with the fact that storing your identity on a service like Google isn't necessarily the best idea, but as a developer I DON'T want to be dealing with passwords and account lock outs. OAuth is great in that regard.

[jherskovic]

So very much this. The reason we're using OAuth in the first place is that we're leaving authentication to the big companies that know how to do it well.

The sheer amount of support work that resetting passwords and fixing access issues (and dealing with hostile actions) generates for a small team is staggering.

[bliteben]

not if but when

[danpalmer]

It was a ticket we had for a long time to remove it, in fact we had been no longer giving it as an option for account creation for a few years. It just was going to be a week of work and we wanted to avoid it if we could.

[simonbackx]

There are so many stories like this, it is crazy! Thank you for sharing this.

[998244353]

One quite perplexing common theme is "thing gets flagged -> thing gets resolved by a human as a false positive or whatever -> two weeks later, thing gets flagged again with no change, presumably by an automated system".

If the flagging is done by a human, is there really no "case file" that records the previous flags and why they were false positives? If it is done by an automated system, why is it allowed to flag things that a human has already cleared with no change?

[debugnik]

Not a FB story, but I once had an innocuous profile image on a Google side-account get flagged and automatically restricted from public view. I requested human review and it was manually approved. The next week it got flagged again; same process, reapproved. This kept happening every week until 5 times total; I kept going just to see how long would it take them to stop, as I didn't really care about the image or even the account.

Long time after I'd last used that account, I logged-in again and, you guessed it, the image was flagged. Requested yet another review, approved. Was it really that hard for them to trigger human reviews before restricting content that had already been reviewed?

[bell-cot]

Hard? No.

Beyond their interest in doing, or their (low, low) budget to do at scale? Yes.

[danpalmer]

FWIW, the audits were definitely being performed by humans, we saw the screenshots and some notes. The triggers for audits were likely automated.

[marcosdumay]

You mean large company screws up, people get in touch and they fix it?

I completely disagree, there aren't many stories like this. In fact I don't remember reading any on HN.

[rendaw]

Who on Facebook's side resolved the problem in the end?

[danpalmer]

Not certain. Our ads account manager (or maybe the old account manager) found the internal ticket and I suspect told them that it was looking really bad for Facebook and that they were at risk of losing us.

[niuzeta]

By the time the communication was sent to all the users, wouldn't it have been too late? "Lose" the account or not, I don't imagine the company ever wanted to deepen the relationship with Facebook.