Slashdot Mirror
AT&T Glitch Connects Users To Wrong Accounts
CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"
Facebook login information is stored on the phone, is it not?
I'm god, but it's a bit of a drag really...
It's a feature, NOT a flaw.
Can you hear me now? Maybe. Can I see all your private information? Yes!
Quote from the article:
"I thought it was the phone -- 'Maybe this phone is just weird and does magical, horrible things and I have to get rid of it...'"
should be:
SUE the hell out of them.
Probably will take Yahoo only another 15 years to catch up. Wish all other services with even a small chance of transmitting private data would do the same. Even if they charged for it (i.e. a premium account).
Reading the article's comments (Ya, I know ban me for RTFA lol) the issue appears to be quite widespread, and possibly on Facebook's end. They appear to not sue encryption once you log in, so that is definitely a weakness there. But that "costs" more bandwidth... but if Google can do it and switch to HTTPS... but of course this is email, not public humiliation we are talking about here.
Like a city whose walls are broken down is a man who lacks self-control.
The website handles the login to accounts. The article was saying that folks were logging in via their AT&T cell phones and ending up on others pages. I don't get it, one's phone has their login information, the phone sends the login info to Facebook, Facebook verifies the login information and then lets the user see their stuff. What, is ATT pooling login information to Facebook on one server and doing a lookup when someone wants to log into FB?
How in the World can this be AT&T's fault unless they have some special deal with Facebook and they're the ones sending wrong information to Facebook.
If this is infact AT&T's problem, then that means it could happen to those of us that have AT&T as their ISP and login via their home computers.
Actually, WTF is Facebook doing?!? That is the real question here. How the hell is AT&T mixed up in this?
Did the session IDs get crossed? This is the only thing I can think of: that the cookie got sent to the wrong handsets, perhaps because they were logging in simultaneously. This would be very worrisome if it were true, as it would not apply to other sites besides facebook, e.g. banking sites.
However, I'm wondering if it may be a problem with the Facebook login system. Perhaps there is something wrong with how they identify a browser who is currently logging in, and they confused handsets on the carrier (since they probably share IPs with other handsets).
More testing needs to be done to determine if this really is an ATT issue, or just a facebook issue. Facebook doesn't exactly have cast-iron, secure code, from my experience.
Also, AJAX can get wonky sometimes if you don't code it right, and facebook relies on a lot of AJAX now.
I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.
I am specifically talking of the horror that is Microsoft's ISA server.
At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.
This happened to me in Virgina a few weeks back. AT&T is my service provider. Promptly logged out so I could get onto mine.
You mad
CALEA application? Obviously in this case its use would be accidental, but doesn't CALEA give law enforcement the ability to "ghost" sessions like this?
She ought to consider how the phone is probably feeling the same way about its user.
It would be really easy to do this if they used squid or similar and somehow told it to not honor/honour the Cache-Control setting subsequent connections would end up re-using "objects" that were supposed to be private...like cookies.
Might have been a NAT problem on ATT's WAP gateway.
I have no inside details on AT&T or Facebook, but what you've described is almost certainly the problem. AT&T very likely use fairly aggressive caching proxies, especially lately to help mitigate their infamous capacity issues. I'd say that what happened here is pages are being cached without proper regard for cookies. That's fine for sites that don't have custom accounts, and only use cookies for tracking various page view statistics. But Facebook (like nearly every other site in the world that requires a login) issues a cookie to identify you, once you've entered your credentials. So that cookie is how the server knows it's you, and not somebody else. If AT&T's forward caching proxies ignore this cookie, and just give you the most recent page served from Facebook, you're sure to hijack somebody else's session. And, since your first request sends your new credentials, the person you've hijacked (if still online) will now have passively hijacked your session, explaining the last scenario from TFA where sessions appeared to have been swapped.
The article says:
But I, as a just random user of some commercial (read: mail-order, telephone company, etc.) websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. In these cases the cause seems to have been non-unique cookies although that is purely a guess, maybe indeed there was some hijacking going on at the network level.
Some of these websites were supposedly "https" but some inspection of HTML source revealed this was just the frame, the actual information was frequently in non-secure inner frames. Poked around a tiny little bit and found that by altering the URL's in those frames I could see arbitrary customer's account info.
I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.
In the pre-LAN days of the 1980s we used to use terminal servers to connect dumb terminals to the computers. Their purpose was to dish our point-to-point connections on demand.
Once in a while, perhaps due to a power glitch, the terminal servers would drop all connections and then immediately reconnect everyone at random. Users abruptly found themselves in the middle of someone else's session.
Old technology or new, connection errors are bound to happen once in a while.
The true risk here is misplaced confidence. People simplify; errors that happen very rarely are mentally simplified to "never happens." They then become sloppy and unguarded.
In parts of India where customers suffer electric blackouts 4-5 times per day, commerce is so robust that they hardly notice. When a regional blackout happens in a Western country once every 10 years or so, many people are caught unprepared.
Fire departments hold regular drills to maintain preparedness skills. The frequency of real life emergencies is not sufficient. Perhaps the public would be best served by participating in regular Internet drills, but I'm not going to hold my breath waiting for that to happen.
On the IP layer, this wouldn't happen, because there are cookies contained in the web traffic that are used to route things on the Facebook end, simply because there are NATS and the like.
Thus the problem is whatever in-path HTTP proxy AT&T is using for their phones that crossed things over.
In-path HTTP proxies and caches can be very hard to find and may produce all sorts of interesting subtle problems when there are bugs in them.
Test your net with Netalyzr
I have an iPhone with the facebook app with t-mobile. After updating to the newest version, I keep getting notifications for other people. I let facebook know but didn't get a reply. Is anyone else having this problem?
Really now? And people are just now realizing this?
---- Booth was a patriot ----
Bad in-path caches are something we specifically check for on Netalyzr. Its suprising the number of BAD in-path caches still exist, which cache data that the HTTP server said "for the love of god, don't cache".
More, what has happened is that bandwidth has gotten cheap, so fewer people are DOING caches, and when they are caching, its more likely for latency not bandwidth savings (eg, we see a lot of caching for users from South Africa).
Test your net with Netalyzr
This is sheer incompetence IMO. It is sad to see the organization which originally spawned Bell Labs -- arguably the most important private sector research organization the US has ever seen -- reduced to this. (Not to mention the fact that Lucent, nee Bell Labs, is now but a mere appendage to the French telecom operation Alcatel.)
I had something like this happen to me on T-Mobile a couple weeks ago. A mother and daughter were trying to call each other one night, and each call went to me. It went on for over an hour. I even tried to call their numbers back and got my voicemail.
....that if you really need data to be secure, end to end security is the only way to go. That way, no matter what happens in the network (short of man in the middle attacks by a trusted or very resourceful attacker), either only you get your data, or nobody does.
Of course I'm here on slashdot via a non-secure connection, but the worst that happens here is someone steals my account to post obnoxious shit. (and who would notice?)
Unless are women, the people working at your service provider (and all the layers between you and your target site) are in fact man in the middle. That they decide to "attack" by their own choice or i.e. government order is up to them, but is up to you being aware of that and take measures to minimize risks. Unless we are talking about facebook, of course, there lack of privacy don't seem to be a big priority.
What makes this "little known"?
This is the whole reason we have SSL(TLS) and happens all the time, except usually nobody notices.
...and that is all I have to say about that.
http://jessta.id.au
Years ago I clicked on a dating service ad here on Slashdot. It turned out (disappointingly) to lead to Match.com. But the interesting thing was that I appeared to be logged in as a Match.com user (I had no account with Match at the time). I verified that I was indeed logged in by going to the account details page, and was able to see this guy's personal info.
Now I could've been a dick, but I wasn't -- I logged out immediately. But to this day I wonder how the heck that could've happened.
THEN WHO WAS PHONE?
It turns out that both of these women who use AT&T phones had both heard of Internet Explorer and Firefox. The nation of Liberia is now warning users who have ever heard of Internet Explorer or Firefox to switch to Liberia's own Liberexplorer for a limited time only. Supplies are running out fast and there is a strict limit of 2^10000th power per customer. Just five easy installments of $10.99 and you're in the clear. Act now!
It's true that the HTTPS protocol would have prevented this, but it can only prevent this type of activity within the https connection! There's no reason why AT&T wouldn't have the phones set up to use an HTTPS proxy - meaning that the connection between the phone and the proxy is like any other http proxy, and the proxy server then initiates the HTTPS connection!
Take a look in your browser settings for "HTTPS proxy", virtually all browsers support this type of behavior, and if AT&T was "aggressively caching" content in order to improve their well-known performance limits, then they almost certainly would have done this, too, and thus HTTPS would have offered no protection at all from this type of bug.
Funny how often well-designed protocols by well-intentioned modifications that bring the who system to its knees, no?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I can't wonder if what happened here is not a glitch -- this is the access that the US Intelligence communities get all the time through ATT. The only "glitch" was that somehow, this lady temp. got into that loop. If this is the case, they see whatever, whenever all the time -- now that is what is really scary.
cell phone internet uses a nat based system the higher priced plan have real ip's. I think that media net is nat based.
Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
When are we going to get the story from the CEO somehow blaming this on the iphone and all the bandwidth they use?
He readily admits to reading the article! Not only the article, but even the comments! We can't have that on Slashdot - we've got to nip this in the bud.
#DeleteChrome
Obviously, he didn't RTFM... But are you new around here? This is slashdot!
Sig out of date
I have been getting facebook notifications for someone in Germany, I get notified of all the comments posted on their profiles. I thought this was something wrong with the facebook application itself, but this confirms my suspicions that there is a deeper issue at hand.
- Aetheral Research -
So, AT&T, tell us again what makes your service worth those outrageous rates? It seems you can't even assure that you won't deliver my data to a complete stranger.
In the fall of 2005, I was in a computer lab in Italy. There were probably 10 or 12 desktop stations. We'd often have trouble with our sessions temporarily crossing. So I'd be on Facebook and then all of a sudden somebody else's profile would show up when I'd click a link to my profile. Similarly, this would happen to other people. We couldn't make any changes - a single click to a new page would take us back to our account. Facebook was a very different operation back then, but I always assumed it was the network admins who were at fault.
Kind of you to let us know now. Which websites were they again?
The Sawyers experienced a different glitch. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information -- including the user name that Facebook members would enter to access their pages. Coe said technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.
I cannot understand why Facebook didn't add the ip address to the hash of the login; making it impossible to use the same cookie with another IP address.
I simply cannot understand. I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.
I'd think BOTH are in error; facebook for having ratsass security and the phone company of making this possible.
Makes one wonder too; how safe we really are for MITM attacks; looking to this case...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
If what you said was remotely true, none of the buttons or links would work. Dur.
Not true. The links and buttons simply take you to other URLs which would also have gotten cached by the caching proxy server. (The friends page on facebook is "http://www.facebook.com/friends", which is just another URL to cache.)
Dur indeed.
E pluribus unum
Click the damn "logout" link to end the session.
I know that cell calls use (or used to use) a form of security that involved constantly rotating calls from channel to channel (or whatever the terms are). Does data access work in this way whereas AT&T just handed over an open session (possibly from a dropped 'call')?
... ...
"I thought it was the phone -- `Maybe this phone is just weird and does magical, horrible things and I have to get rid of it,'" said Candace Sawyer.
Be seeing you...
"I felt like I had been let down by the phone company and by Facebook," he said.
Thank you for choosing AT&T
do these things remember cookies ? ...
As soon as that's possible, an unique id can be assigned
Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.
I've seen earlier some entries from Perl code around cpan about mobile authentication, possibly with a few brands only; but cannot remember the right module anymore. There is some Ericsson code available through the web.
I wonder if this "bug" is also possible through Facebook Connect, because that would mean an extreme privacy risk for users behind a company proxy!
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
This is no more difficult than a cookie to spoof by a man-in-the-middle such as an ISP.
If the IP and other environment variables are passed together with that id; it would be "more" locked to location and client.
For facebook with it's own security gateway (Facebook Connect), I've been expecting this session id to be at least that secure ...
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..