Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Glitch Connects Users To Wrong Accounts

Posted by Soulskill on from the reach-out-and-touch-some-one-at-random dept.

CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"

109 of 138 comments (clear)

  1. But... what? by i_ate_god · · Score: 2, Informative

    Facebook login information is stored on the phone, is it not?

    --
    I'm god, but it's a bit of a drag really...
    1. Re:But... what? by nate_in_ME · · Score: 3, Insightful

      I'm guessing what happened in this case is that AT&T had other users who had logged into their Facebook accounts as well, and after logging in, the wires essentially got crossed, and the wrong Facebook data got sent to each handset.

    2. Re:But... what? by MtHuurne · · Score: 5, Insightful

      I don't know how Facebook does it specifically, but many sites will give the user a session cookie after entering his/her username and password. All further requests use that session cookie to identify the user. It sounds like a proxy at AT&T served a cached response belonging to someone else and that included a session cookie that was still valid (not logged out or expired).

      It may be a bug in the proxy or a bug in the HTTP headers set by Facebook that instruct how a response should be cached. It does show that it is a good idea to use HTTPS when accessing private data, not just for banking. If the site does not offer HTTPS, it is good practice to log out when you're done, so that the server will invalidate the session cookie.

    3. Re:But... what? by bondsbw · · Score: 3, Insightful

      That's my thought... but I still don't see how things like this get "crossed". Even if your IP address got switched with another during a request, at most I would expect you to wind up is receiving one page. When you load the next page, or make the next AJAX request, you wouldn't have the session cookie and it would kick you back to the login screen.

      Unless of course Facebook sends the auth cookie in every response, or the "wires" got crossed just when the other person was making a login request.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    4. Re:But... what? by clang_jangle · · Score: 1

      It's really not that unusual. If you log in at amazon.com (or lots of other places) you see the "logged in as $name", and right near that a link that says, "not $name? log out". I remember once I went to some site and was logged in as someone else, but that was back in 1998...

      --
      Caveat Utilitor
    5. Re:But... what? by something_wicked_thi · · Score: 4, Informative

      Yes, but typically, the way you log in to one of these services requires that you have cookies enabled. There's a cookie in your local browser that has information derived from your password. For example, imagine facebook stores your password in its database as a sha1 hash of a salt and your password. E.g. the entry facebook has stored might look like this:

      salt = string(rand64())
      password_hash = sha1(salt + password)

      Now, to authenticate, you send facebook your password and they use the saved salt to see if it matches the stored sha1 hash. What they send you back would be a token to put into your cookie like this:

      token = (date, username, sha1(password_hash + date))

      Now, they make the token good only for a certain amount of time after the date. Say three hours. When facebook gets another request, it checks to see if the token is valid by comparing the date and username and then looking up the password hash for that username. It then recomputes the sha1 hash in the token to make sure it's valid.

      Using this model, it's completely impossible to log in to another account by "switching the wires". You can log in to an account simply by stealing the cookie, but that grants you log in access for only a single session.

    6. Re:But... what? by mother_reincarnated · · Score: 5, Insightful

      What is almost certainly happening is that AT&T is using a proxy which implements HTTP Pipelining, but is screwing up and not correctly pairing the requests/responses from different sessions. It's probably just more likely to happen on a site like Facebook where many many users on the same proxy are going to the same non HTTPS site...

    7. Re:But... what? by samkass · · Score: 5, Informative

      My guess is that it's as simple as this: the http returned by a request to "www.facebook.com" was cached by AT&T and delivered to other users who attempted to fetch that URL in an attempt to save bandwidth. The login credentials are irrelevant... once AT&T cached the page it thought of as "www.facebook.com" it would deliver it to anyone who asked for that URL. It probably only changed for the next person because someone insisted on logging out and back in, and the caching server detected the change then re-cached the NEW user's page.

      This used to happen a lot on the internet to unencrypted streams that allowed log-ins. These days most caching servers are properly configured, but it's still an easy mistake to make if you're setting up a caching proxy.

      --
      E pluribus unum
    8. Re:But... what? by richlv · · Score: 1

      that's actually something completely different - it's meant for cases when somebody else has logged in using the same browser before (and thus cookies claim that person is still logged in)

      --
      Rich
    9. Re:But... what? by clang_jangle · · Score: 1

      Perhaps, but the one time it happened to me it was on a computer to which only I had physical access.

      --
      Caveat Utilitor
    10. Re:But... what? by Bob9113 · · Score: 2, Insightful

      If the site does not offer HTTPS, it is good practice to assume the information you store there is not secure.

      Fixed that for you. Data sent in the clear is not secure.

      From this we can make another logical step: Therefore this is not a security issue. Data which is not secure cannot have a security issue. It is already public.

      --
      Stop-Prism.org: Opt Out of Surveillance
    11. Re:But... what? by TheRaven64 · · Score: 1

      It depends on what they mean by 'switching the wires'. There's nothing magic about cookies. They are just short strings that are sent with every HTTP request and response. A misconfigured HTTP proxy may forget to take them into account or ignore the nocache commands, so when you got to a URL you get back whatever the last person saw, irrespective of the fact that the cookie is different.

      That's why you use end-to-end encryption for anything that contains personal information.

      --
      I am TheRaven on Soylent News
    12. Re:But... what? by Wannabe+Code+Monkey · · Score: 1

      There's a cookie in your local browser that has information derived from your password.

      Why would the cookie have to be derived from your password? Isn't that generally a bad idea? I thought most web sites generated a completely random token for your cookie when you log in. On their end, they associate that random token with an authenticated session. They don't need the user to have any actual information in the cookie, just a unique ID that they can use to look up data on their end.

      --
      We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
    13. Re:But... what? by something_wicked_thi · · Score: 1

      The "magic" about cookies is that they are stored in your browser. Therefore, once you've got your cookie, no amount of "wire switching" is going to give that cookie to someone else.

      What could happen is that the response to the login session goes to the wrong browser, but that seems a lot less likely since you'd need two sessions logging in simultaneously.

      Yes, it's possible that it's a cache control header being ignored by a proxy, in which case the site would most likely be read-only.

    14. Re:But... what? by something_wicked_thi · · Score: 1

      A strong hash of your password is, for all intents, random. The point of a hash is that it's very hard to go from the hash back to the input string to the hash.

    15. Re:But... what? by something_wicked_thi · · Score: 1

      Replying to myself:

      It seems that maybe it is that unlikely scenario. If you go to the second page of TFA:

      The Sawyers experienced a different glitch. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information -- including the user name that Facebook members would enter to access their pages. Coe said technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.

      I don't know how you can misconfigure a proxy that badly, but leave it to AT&T, I guess.

    16. Re:But... what? by something_wicked_thi · · Score: 1

      I would find it very unlikely that the auth servers care about NAT. Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.

      Most likely, as another user has pointed out, it's a proxy disobeying the cache headers in the responses to Facebook's pages. It's also possible that Facebook is setting these headers incorrectly, though that seems less likely. There have also been reports of session cookies going to the wrong machines, which means that there may be multiple problems here (or those reports are crap).

    17. Re:But... what? by something_wicked_thi · · Score: 1

      I read it as two sessions getting switched. I don't think of a proxy cache mixup as wires getting crossed, even though there apparently were two users who claim they got switched in just this fashion.

      Funny coincidence considering gmail just switched to SSL a few days ago.

    18. Re:But... what? by BrokenHalo · · Score: 1

      To save cost, phone companies tend to use a single IP-address for many phones at the same time.

      Holy shit. That makes me glad I persist in using a comparatively "dumb" but very robust phone (a Motorola Razr2 V9), since the majority of my contacts don't function in realms beyond voice calls and SMS.

      I find it decidedly scary that people are so happy to conduct critical (e.g. banking) transactions via a device which by its highly stealable nature (if nothing else) is so obviously not secure. I have no objection to being able to call up the occasional map or wikipedia entry on my phone (which I can), but I prefer to use a "real" computer, since I don't care for straining my comparatively poor eyesight on handheld devices or dealing with poor text entry methods. I have yet to be convinced that the "there's an app for that" gimmmick will stand the test of time.

    19. Re:But... what? by something_wicked_thi · · Score: 1

      I'm 100% certain they don't hash the password for the token. They simply generate a random token and store it in a database somewhere.

      I have no inside knowledge. But that way works equally well as long as you are running a stateful service, anyway.

      If the server (or att in this case) sends the page, including the header that sets the cookie, to the wrong user, that user has control of the session for as long as the cookie is valid.

      That is an extremely unlikely scenario, though it did appear to happen once, according to one claim. That's because even a really stupid proxy won't include the cookie headers when caching pages.

      It isn't limited to login since the cookie expiration time is updated fairly frequently (perhaps every page).

      No, facebook's login cookie is set to expire at the end of the session, and if all the state is server side, as you say, then there's never any reason to change it.

    20. Re:But... what? by zten · · Score: 1

      I've used m.facebook.com on AT&T across different phones while using my account's SIM card without having to log in again.

    21. Re:But... what? by coolgeek · · Score: 2, Funny

      Apparently not.

      --

      cat /dev/null >sig
    22. Re:But... what? by mdwh2 · · Score: 1

      Data which is not secure cannot have a security issue. It is already public.

      I'm not sure you mean that, that's a circular definition - anything with a security hole means the data isn't secure, which by your definition means it's not a security issue. Therefore security issues can never exist?

    23. Re:But... what? by coolgeek · · Score: 1

      A misconfigured proxy server (or web application with a front-end proxy that doesn't setup the Cache-Control header properly, for that matter) will store the cookies that were sent by the application server, and send copies of the same cookies along to the next requestor.

      So, you go to the page http://facebook.com/profile (for example, I'm not a fb user), your browser sends your cookie because you logged in yesterday, the application server sends the cookie back in the response. Then I come along, not logged in, go to http://facebook.com/profile, my browser sends no cookie. The request is intercepted by the proxy server, never forwarded to facebook, and the proxy gives me your profile page and your cookie. Then I'm in on your account. When I go to change your password or change your status to "dolphin fucker", it goes via a POST request, so the proxy doesn't intercept, but my browser is now sending your cookie, so it works.

      --

      cat /dev/null >sig
    24. Re:But... what? by coolgeek · · Score: 1

      Yes, it is a generally bad idea. The use of any constant or predictable value in a cookie used for maintaining a session is a bad idea. You want the value to rotate periodically to a new value to defend against someone copying cookies off of another person's computer.

      --

      cat /dev/null >sig
    25. Re:But... what? by jabbathewocket · · Score: 1

      No its not because your presumption is false.. Lemme explain how it works in laymans terms.. user A (me) logs in like normal to facebook.. at the same time user B also logs in.. .. the important factoid here is we are BOTH logging in from computers with absolutely legit credentials IE there is not a single solitary security method that will fix this problem.. because The ISP's servers are trying to cache responses from the servers before passing them on to users.. So when ATT's server decides to send user B's data to me.. I am still logged in to my own account etc.. its the ISP that is transposing the data returned by the website to the wrong terminal.. which in turn ends up validating our logins for each others sessions. Because ... the isp's caching responded with the right credentials, now the "seed" you spoke of, is sitting on the other guys computer and on my computer as its a 2 way street.. and we can effectively maintain this logged in to wrong account state until the original sites "force you to log in again" which on many sites could be never or several weeks later

    26. Re:But... what? by Bob9113 · · Score: 1

      Surely you troll, or are you simply being facetious? You must be capable of comprehending that my implication was that if you are intentionally using an insecure channel, considering the data which you send through that channel to be secure is folly. Please, do us all a favor, and attempt to grasp the intent without assuming that the poster is retarded. This community, including myself, deserves better.

      --
      Stop-Prism.org: Opt Out of Surveillance
    27. Re:But... what? by mdwh2 · · Score: 1

      Someone got out of bed the wrong side today! Please, do us all a favor, and attempt to grasp my intent. This community, including myself, deserves better.

      Yes, I'm sure you didn't mean that - but then what on earth did you mean? Ah, now you retreat to:

      if you are intentionally using an insecure channel, considering the data which you send through that channel to be secure is folly.

      Now let's look at what the person you replied to say:

      If the site does not offer HTTPS, it is good practice to assume the information you store there is not secure.

      In other words, the same bleeding thing as you're now saying! (Or if anything, the original statement was broader, as it doesn't require intent, and includes people who aren't aware of the differences.) So in that case, what were your additional two points about, if they (a) weren't what I read them as, and (b) they were stronger than what the OP was saying?

    28. Re:But... what? by mysidia · · Score: 4, Insightful

      No, it still doesn't make any sense. If you made a port 80 request to the web site, your phone has to pick a SOURCE PORT to establish the TCP socket.

      Someone else requesting a page would have a different Source IP Address and a different source port.

      So if you suddenly got their IP address, your phone's TCP stack should drop the packet.

      Something is amiss... I think they're intercepting your request with a transparent HTTP proxy (or something like that), and a bug in the proxy server sent the response to the wrong user.

      Oh, and by the way.. how session cookies work.... a new cookie gets sent to the browser with every HTTP request, most likely, to extend their session (e.g. time-out idle period extended by issuing a new cookie).

    29. Re:But... what? by jc42 · · Score: 2, Informative

      Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.

      Some recent testing of web sites on the iPhone and G1 phone have also shown that using the client's IP address as part of the "session" information simply doesn't work. With both of these phones, successive HTTP requests from a single phone often come from different IP addresses. In the tests I did, the set of IP addresses was small (2 to 4), and I suspect that it might have something to do with being in contact with several cell towers. The phones appear to be "NATted" behind several different addresses. So from the client's viewpoint, a session that depends on the IP address appears to work intermittently.

      It's yet another argument in favor of IPv6, except that the phone companies and ISPs don't seem to be at all interested in going that way.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
    30. Re:But... what? by node+3 · · Score: 1

      I find it decidedly scary that people are so happy to conduct critical (e.g. banking) transactions via a device which by its highly stealable nature (if nothing else) is so obviously not secure.

      Stealing a phone does not also steal your bank password. And the iPhone (for example) has end-user secure remote wipe functionality.

      I have no objection to being able to call up the occasional map or wikipedia entry on my phone (which I can), but I prefer to use a "real" computer, since I don't care for straining my comparatively poor eyesight on handheld devices or dealing with poor text entry methods.

      Yes, poor eyesight, or lack of hands, etc., tend to make using a phone difficult. But for everyone else...?

      I have yet to be convinced that the "there's an app for that" gimmmick will stand the test of time.

      Oh, that's adorable. Over 3 billion apps have been downloaded for the iPhone (both paid and free, but this does not count updates). I don't foresee a mechanism whereby people will suddenly decide that they no longer want portable apps. Well, unless our eyes all go at once or something.

    31. Re:But... what? by mysidia · · Score: 2, Interesting

      I doubt that. It's more likely they intercept the TCP request and pass it through a HTTP proxy farm (transparent connection hijacking)

      I think many don't use NAT at all... Remember the iPhone SSH vulnerability? Can you explain how it is that jailbroken iPhones are being compromised by an SSH vulnerability, if carriers are using NAT?

      The source port number field is only 16-bits: so there are only a certain number of connections that can be NAT'ed behind one IP address. Basically, 30k source ports per IP.

      Whenever a TCP connection is made, a new source port is required. Also, the source port is required for the duration of 1 MSL (approximately 5 minutes) after the connection is closed. So that means, if I browse the web on my phone for 20 minutes, and visit google and 20 web sites, a minimum of 17 source port numbers will be required by my activity, after considering things like images, AJAX, multitasking, e-mail and other apps, it's more like 50 or 60 source ports needed.

      So only a few hundred phones can NAT to the same IP without being at high risk of using up TCP port slots, anyways.

      On carrier grade networking gear, NAT'ing is very expensive, due to the state keeping requirements, and creates new possible failure modes for their network.

      Every outbound connection requires a NAT translation entry, kept for the duration of the connection, and again, a MSL after the shutdown of the socket. And then there's DNS, which generates even more translations....

    32. Re:But... what? by welsh+git · · Score: 1

      errr, proxies cache content, not the headers. Under your scenario, yeah, someone could receive someone elses "page" but they would NEVER get the cookie, so your POSTS would still fail

      --
      Sig out of date
    33. Re:But... what? by welsh+git · · Score: 1

      I'm not even going to bother testing this.

      If it's a contest between facebook screwing up the correct settings of headers, and AT&T screwing up how they cope with such headers, I'd bet my arse on the latter.

      In fact, if it was the former, we'd have heard this story a LONG time ago (how many companies allow facebook, but use proxy servers? Very many that even I can think of!

      --
      Sig out of date
    34. Re:But... what? by Zero__Kelvin · · Score: 1

      "Perhaps, but the one time it happened to me it was on a computer to which only I had physical access."

      Information gets out, and people get access to information in ways of which you may be unaware. For example, based on your post I have determined the name of the OS you run!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    35. Re:But... what? by Mr.+Shiny+And+New · · Score: 1

      Some of the things you mention as requiring lots of connections could be handled by proxies or replacements inside the NAT. For example, DNS and HTTP can be inside the NAT. This would reduce the number of connections that need to actually cross the NAT boundary from the phone itself.

    36. Re:But... what? by Wannabe+Code+Monkey · · Score: 1

      A strong hash of your password is, for all intents, random. The point of a hash is that it's very hard to go from the hash back to the input string to the hash.

      But if what you're looking for is randomness why not just go out and get an actual random number? There's no reason to directly tie it to the password at all. All you're doing is opening yourself up to offline dictionary attacks and rainbow table lookups if someone gets a hold of the cookie, and hashes are being shown all the time to have various deficiencies and collisions. Why bother opening yourself to all of that if you don't need to?

      --
      We always knew Comcast was corrupt, here's the proof: http://tech.slashdot.org/comments.pl?sid=1909890&cid=34545432
  2. It's not a GLITCH! It's AUTOMATIC HACKING! by Anonymous Coward · · Score: 1, Funny

    It's a feature, NOT a flaw.

  3. How half of all customer support calls begin by jarocho · · Score: 4, Funny

    Quote from the article:

    "I thought it was the phone -- 'Maybe this phone is just weird and does magical, horrible things and I have to get rid of it...'"

    1. Re:How half of all customer support calls begin by Anonymous Coward · · Score: 1, Funny

      Well, do you have any proof that it's not a magical phone???

    2. Re:How half of all customer support calls begin by Agent+ME · · Score: 1

      If you had a phone that did magical things, why would your first response be to get rid of it?

    3. Re:How half of all customer support calls begin by Arthur+Grumbine · · Score: 1

      Well, do you have any proof that it's not a magical phone???

      The article specifically said it was a Nokia, not an iPhone.

      --
      Now that I think about it, I'm pretty sure everything I just said is completely wrong.
  4. the american response by anonieuweling · · Score: 2, Funny

    should be:

    SUE the hell out of them.

    1. Re:the american response by Stargoat · · Score: 1

      No no. The American response is:

      Class action lawsuit.

      --
      Hoist Number One and Number Six.
  5. Good thing that Gmail is all https now by rolfwind · · Score: 4, Insightful

    Probably will take Yahoo only another 15 years to catch up. Wish all other services with even a small chance of transmitting private data would do the same. Even if they charged for it (i.e. a premium account).

    1. Re:Good thing that Gmail is all https now by XPeter · · Score: 2, Informative

      Gmail has supported HTTPS since it's release, only now are they making it standardized.

      --
      "The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
    2. Re:Good thing that Gmail is all https now by rolfwind · · Score: 2, Insightful

      Perhaps, one good thing about it being standardized is that if I send to someone on that service, I also know if's a bit more secure. (Although, if you're telling secrets to another human, there really isn't any hope of it staying one...)

    3. Re:Good thing that Gmail is all https now by XPeter · · Score: 1

      (Although, if you're telling secrets to another human, there really isn't any hope of it staying one...)

      Score:5, Truth.

      --
      "The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
    4. Re:Good thing that Gmail is all https now by tsa · · Score: 1

      its

      --

      -- Cheers!

    5. Re:Good thing that Gmail is all https now by The+Wild+Norseman · · Score: 1

      something that I was wondering about for a long ti... hey! Why am I suddenly finishing this sentence under someone else's account? I'm tsa dammit! Who the hell is The Wild Norseman anyway?!?

      --
      "A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
    6. Re:Good thing that Gmail is all https now by Just+Brew+It! · · Score: 1

      Seems to me that the only reason https has not become more widespread already is the computational load it places on web servers and browsers, due to the encryption. Given that even mobile devices now have more CPU horsepower than a desktop system from the early days of the Web, it is high time that we move anything that involves even marginally sensitive data to a secure protocol.

    7. Re:Good thing that Gmail is all https now by BrokenHalo · · Score: 1

      Given that even mobile devices now have more CPU horsepower than a desktop system from the early days of the Web...

      True, but don't forget that an iPhone can only do one... thing... at... a... time.

    8. Re:Good thing that Gmail is all https now by coolgeek · · Score: 1

      Perhaps, one good thing about it being standardized is that if I send to someone on that service, I also know if's a bit more secure.

      Except you're suggesting a browser-based email service, so all bets are off once the next browser vulnerability is discovered.

      --

      cat /dev/null >sig
    9. Re:Good thing that Gmail is all https now by XPeter · · Score: 1

      I use Thunderbird :)

      --
      "The difference between genius and stupidity is that genius has it's limits" - Albert Einstein
  6. Article Comments by Aldenissin · · Score: 1

    Reading the article's comments (Ya, I know ban me for RTFA lol) the issue appears to be quite widespread, and possibly on Facebook's end. They appear to not sue encryption once you log in, so that is definitely a weakness there. But that "costs" more bandwidth... but if Google can do it and switch to HTTPS... but of course this is email, not public humiliation we are talking about here.

    --
    Like a city whose walls are broken down is a man who lacks self-control.
    1. Re:Article Comments by djsmiley · · Score: 1

      It uses more bandwidth due to encrypted data being larger than unencrypted.... think about it (For the transmitter).

      It uses more CPU (at the encrypter and decrypter ends).

      However for the transmitter, the data is merely larger, its no harder to handle encrypted data than it is to handle unencrypted data.

      --
      - http://www.milkme.co.uk
    2. Re:Article Comments by coolgeek · · Score: 1

      unless they have some sort of network cache at work

      Like most every ISP in the world, to save bandwidth? Look at your server logs, if you have any. You'll see a lot of different users coming from a single IP address. That's a transparent proxy at their ISP.

      --

      cat /dev/null >sig
  7. Technical details please! by Azureflare · · Score: 1

    Did the session IDs get crossed? This is the only thing I can think of: that the cookie got sent to the wrong handsets, perhaps because they were logging in simultaneously. This would be very worrisome if it were true, as it would not apply to other sites besides facebook, e.g. banking sites.

    However, I'm wondering if it may be a problem with the Facebook login system. Perhaps there is something wrong with how they identify a browser who is currently logging in, and they confused handsets on the carrier (since they probably share IPs with other handsets).

    More testing needs to be done to determine if this really is an ATT issue, or just a facebook issue. Facebook doesn't exactly have cast-iron, secure code, from my experience.

    Also, AJAX can get wonky sometimes if you don't code it right, and facebook relies on a lot of AJAX now.

    1. Re:Technical details please! by Azureflare · · Score: 1

      Correction, first paragraph should end with "as it would apply to other sites besides facebook, e.g. banking sites."

    2. Re:Technical details please! by mother_reincarnated · · Score: 1

      Very likely could affect other sites, but one would hope they don't man-in-the-middle https.

    3. Re:Technical details please! by Anonymous Coward · · Score: 1, Insightful

      The article is poorly written and obviously is a hearsay of technical information loosely translated into something people might read.

      The description of the potential scope of the problem (all of the internet, everybody, all of the time) is laughable. Of course if I get a flat tire from a nail, and if nails are used everywhere, then everyone's tires are at risk from nails all of the time. And we should all stay home. Better to find out why that nail was there and if there is someone dropping nails on the road.

      Sounds like a bad session cookie, either at Facebook server or loadbalancer. Or perhaps some network cache/proxy that keeps session info. If it was a TCP connection that an IP router went bonkers on then a lot of other session things would go wrong too and packets would drop. Its a complex world we live in so there is always the possibility that something weird and not so wonderful happened.

      er.. awaiting better information

  8. Caching by nOw2 · · Score: 5, Interesting

    I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.

    I am specifically talking of the horror that is Microsoft's ISA server.

    At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.

    1. Re:Caching by sootman · · Score: 1

      ... I have seen similar things happening with poor-quality web caching proxies. I am specifically talking of the horror that is Microsoft's ISA server.

      Happened to Google, too.

      --
      Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
  9. Cool by Broken+scope · · Score: 1

    This happened to me in Virgina a few weeks back. AT&T is my service provider. Promptly logged out so I could get onto mine.

    --
    You mad
    1. Re:Cool by TheRaven64 · · Score: 2, Interesting

      Wait, let me get this straight:

      You used a connection, realised that it had a security hole that was disclosing login information to third parties, and then provided it with your login information.

      --
      I am TheRaven on Soylent News
    2. Re:Cool by Arthur+Grumbine · · Score: 1

      Facebook's a helluva drug.

      --
      Now that I think about it, I'm pretty sure everything I just said is completely wrong.
  10. The feeling is mutual by lildogie · · Score: 3, Funny

    She ought to consider how the phone is probably feeling the same way about its user.

    1. Re:The feeling is mutual by apraetor · · Score: 1

      They probably bought refurb phones (knowingly, or not..) and the phones hadn't been wiped since the last customer used them.. hence they were still signed into Facebook.

  11. NAT problem on ATT's WAP gateway? by rkasper · · Score: 1

    Might have been a NAT problem on ATT's WAP gateway.

  12. Almost certainly by dereference · · Score: 2, Interesting

    I have no inside details on AT&T or Facebook, but what you've described is almost certainly the problem. AT&T very likely use fairly aggressive caching proxies, especially lately to help mitigate their infamous capacity issues. I'd say that what happened here is pages are being cached without proper regard for cookies. That's fine for sites that don't have custom accounts, and only use cookies for tracking various page view statistics. But Facebook (like nearly every other site in the world that requires a login) issues a cookie to identify you, once you've entered your credentials. So that cookie is how the server knows it's you, and not somebody else. If AT&T's forward caching proxies ignore this cookie, and just give you the most recent page served from Facebook, you're sure to hijack somebody else's session. And, since your first request sends your new credentials, the person you've hijacked (if still online) will now have passively hijacked your session, explaining the last scenario from TFA where sessions appeared to have been swapped.

  13. Hardly new in end effect... by shoppa · · Score: 4, Interesting

    The article says:

    Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else.

    But I, as a just random user of some commercial (read: mail-order, telephone company, etc.) websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. In these cases the cause seems to have been non-unique cookies although that is purely a guess, maybe indeed there was some hijacking going on at the network level.

    Some of these websites were supposedly "https" but some inspection of HTML source revealed this was just the frame, the actual information was frequently in non-secure inner frames. Poked around a tiny little bit and found that by altering the URL's in those frames I could see arbitrary customer's account info.

    I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.

    1. Re:Hardly new in end effect... by jc42 · · Score: 1

      Several security experts said they had not heard of a case like this, ...

      But I, as a just random user of some commercial ... websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. ... I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.

      And here we have a nice summary of how the legal (and political) system gets it all wrong. They often set up laws that punish the victims who report such problems. The result is that the victims stop reporting problems. The law-enforcement people and the politicians can then say that (reported) violations have decreased, so the laws must be effective.

      It's an old story. It's especially common in the software business, where people who merely make inquiries about security-related problems are commonly classified as "hackers". So the people who want to solve the problems learn to keep very quiet. In forums like this, we see people asking "Why is it all so bad?" A good part of the answer is that the smart people have decided to not get involved, because they value their own freedom.

      It's also the story behind the frequent attempts to shut down the sites that collect "file sharing" information. You'd think that the copyright owners would welcome such sites, as they help finger the copyright violators. But instead, they sue the owners of the sites that point to the violators.

      "Punish the messenger" seems to be a natural human reaction to news about things we don't like. And "If we don't know about it, it's not happening."

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  14. It's not entirely new by anorlunda · · Score: 1

    In the pre-LAN days of the 1980s we used to use terminal servers to connect dumb terminals to the computers. Their purpose was to dish our point-to-point connections on demand.

    Once in a while, perhaps due to a power glitch, the terminal servers would drop all connections and then immediately reconnect everyone at random. Users abruptly found themselves in the middle of someone else's session.

    Old technology or new, connection errors are bound to happen once in a while.

    The true risk here is misplaced confidence. People simplify; errors that happen very rarely are mentally simplified to "never happens." They then become sloppy and unguarded.

    In parts of India where customers suffer electric blackouts 4-5 times per day, commerce is so robust that they hardly notice. When a regional blackout happens in a Western country once every 10 years or so, many people are caught unprepared.

    Fire departments hold regular drills to maintain preparedness skills. The frequency of real life emergencies is not sufficient. Perhaps the public would be best served by participating in regular Internet drills, but I'm not going to hold my breath waiting for that to happen.

  15. CLEARLY a web proxy problem... by nweaver · · Score: 3, Insightful

    On the IP layer, this wouldn't happen, because there are cookies contained in the web traffic that are used to route things on the Facebook end, simply because there are NATS and the like.

    Thus the problem is whatever in-path HTTP proxy AT&T is using for their phones that crossed things over.

    In-path HTTP proxies and caches can be very hard to find and may produce all sorts of interesting subtle problems when there are bugs in them.

    --
    Test your net with Netalyzr
  16. Similar problem on my facebook app by qwertyatwork · · Score: 1

    I have an iPhone with the facebook app with t-mobile. After updating to the newest version, I keep getting notifications for other people. I let facebook know but didn't get a reply. Is anyone else having this problem?

  17. There are still a lot of bad caches... by nweaver · · Score: 2, Insightful

    Bad in-path caches are something we specifically check for on Netalyzr. Its suprising the number of BAD in-path caches still exist, which cache data that the HTTP server said "for the love of god, don't cache".

    More, what has happened is that bandwidth has gotten cheap, so fewer people are DOING caches, and when they are caching, its more likely for latency not bandwidth savings (eg, we see a lot of caching for users from South Africa).

    --
    Test your net with Netalyzr
  18. ...and AT&T strikes again. by Just+Brew+It! · · Score: 1

    This is sheer incompetence IMO. It is sad to see the organization which originally spawned Bell Labs -- arguably the most important private sector research organization the US has ever seen -- reduced to this. (Not to mention the fact that Lucent, nee Bell Labs, is now but a mere appendage to the French telecom operation Alcatel.)

    1. Re:...and AT&T strikes again. by John+Hasler · · Score: 1

      First, we don't know for sure that this is not a Facebook problem (an organization not renowned for technical competence). Second, the company currently known as AT&T has no connection with the original AT&T other than the name.

      > ...Lucent, nee Bell Labs...

      Nee Western Electric.

      --
      Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
    2. Re:...and AT&T strikes again. by Just+Brew+It! · · Score: 1

      If it was a Facebook problem I think we would've also heard about it from people who don't have AT&T as their ISP. Though I tend to agree that Facebook isn't exactly the pinnacle of security best practices either...

  19. T-Mobile by flawd1 · · Score: 1

    I had something like this happen to me on T-Mobile a couple weeks ago. A mother and daughter were trying to call each other one night, and each call went to me. It went on for over an hour. I even tried to call their numbers back and got my voicemail.

  20. Showing, once again by russotto · · Score: 1

    ....that if you really need data to be secure, end to end security is the only way to go. That way, no matter what happens in the network (short of man in the middle attacks by a trusted or very resourceful attacker), either only you get your data, or nobody does.

    Of course I'm here on slashdot via a non-secure connection, but the worst that happens here is someone steals my account to post obnoxious shit. (and who would notice?)

    1. Re:Showing, once again by jc42 · · Score: 1

      ....that if you really need data to be secure, end to end security is the only way to go.

      If you dig around in any archives related to the topic of computer security, you'll find this comment all over the place, and in the earliest documents you can find. It's well understood that if you rely on a lower "comm" layer for security, the people in charge of that layer have full access to everything you send or receive.

      This is why so many security people tend to just snicker at network-level security features. They explain why this is purely a waste of cpu cycles (and sometimes also bandwidth), because you have to provide your own security at the top level anyway. But hardly anyone ever listens to them.

      Some have argued that the lower-level security doesn't hurt, and may add some security in cases where the end users didn't do the job. But others reply that, in practice, it does hurt, because it tricks many users into believing that "the system" provides security, so they don't have to. We're starting to see the effects of this now, with the growing reports of ISPs and other comm companies intentionally violating their users' privacy. And again, the security experts just snicker, because it's exactly what they were warning us about decades ago.

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  21. Re:This makes no sense... by Ungrounded+Lightning · · Score: 3, Interesting

    How in the World can this be AT&T's fault ...

    1) Alice and Bob are both logging in to facebook. They send the last message of the login at nearly the same time.
    2) Facebook
    3) AT&T gives Alice's cookie to Bob. (Several ways to do this.)
    4) Because Bob's browser was expecting the reply with the cookie from Facebook it accepts it and continues with the login step. Except for having the wrong cookie everything is as it should be.
    5) Bob's transactions are marked with Alice's cookie until he logs out, logs in again, or the session expires. He's logged in as Alice.

    If you read the fine article, one of the examples is exactly that. In step 3) "Bob" and "Alice" had their replies-with-cookie swapped so they each ended logged in as the other.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  22. MITM by gmuslera · · Score: 1

    Unless are women, the people working at your service provider (and all the layers between you and your target site) are in fact man in the middle. That they decide to "attack" by their own choice or i.e. government order is up to them, but is up to you being aware of that and take measures to minimize risks. Unless we are talking about facebook, of course, there lack of privacy don't seem to be a big priority.

  23. What makes this "little known"? by Jessta · · Score: 1

    What makes this "little known"?
    This is the whole reason we have SSL(TLS) and happens all the time, except usually nobody notices.

    --
    ...and that is all I have to say about that.
    http://jessta.id.au
  24. cell phone internet uses a nat based system the hi by Joe+The+Dragon · · Score: 1

    cell phone internet uses a nat based system the higher priced plan have real ip's. I think that media net is nat based.

  25. Re:HTTPS won't necessarily fix this! by Bob9113 · · Score: 1

    Using an untrusted proxy (and I assume you don't trust some third party corporation whose contract with you essentially says "all your base are belong to us") to handle your SSL connections is the same as not using SSL.

    --
    Stop-Prism.org: Opt Out of Surveillance
  26. How she knew it wasn't her account by Fnord666 · · Score: 1
    When describing how she knew it was not her account, Candace replied that

    "He's white -- I'm not,"

    Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.

    --
    'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
    1. Re:How she knew it wasn't her account by 93+Escort+Wagon · · Score: 1

      Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.

      The article says what tipped her off was a photo of the site's owner. I would think that skin color would stand out as much as gender when you first see a photo.

      Plus, really, I'm a bit tired of all this pussy-footing around when it comes to race. We should be able to reach a place where we treat everyone else with respect, yet still are able to recognize our differences for what they are - not better than someone else's, nor worse; just different. A person's race is a legitimate part of their heritage and their personal story.

      A quilt is rather boring if it's all just one color.

      --
      #DeleteChrome
  27. Mod parent down by 93+Escort+Wagon · · Score: 1

    He readily admits to reading the article! Not only the article, but even the comments! We can't have that on Slashdot - we've got to nip this in the bud.

    --
    #DeleteChrome
  28. Re:"Informative"? That's stupid and you're stupid. by welsh+git · · Score: 1

    Obviously, he didn't RTFM... But are you new around here? This is slashdot!

    --
    Sig out of date
  29. I can confirm this by yamamushi · · Score: 1

    I have been getting facebook notifications for someone in Germany, I get notified of all the comments posted on their profiles. I thought this was something wrong with the facebook application itself, but this confirms my suspicions that there is a deeper issue at hand.

    --
    - Aetheral Research -
  30. Re:HTTPS won't necessarily fix this! by welsh+git · · Score: 1

    I'm not disagreeing with what you say, but pointing out that everything on facebook is public anyway.

    In less you specifically set it, everything is visible to your 'friends' and this also means any application your friends have used... all those piddly quizzes etc. that people run once, and never de-authorise, have virtually as much information to stuff as that person does itself.

    That includes photos, and notes and everything else.

    If you use facebook, go to settings -> application settings and look at how much dross you still have 'authorised'.

    Then realise that not only can all these applications access all your stuff, but so can all the authorised dross on ALL your friends accounts (there is a setting somewhere obscure that lets you change this)

    I'd NEVER put anything on facebook that was actually private, whether I used https or not!

    --
    Sig out of date
  31. Re:HTTPS won't necessarily fix this! by Anonymous Coward · · Score: 1, Insightful

    No. HTTPS proxies can't really do much because they are proxying encrypted information. They can't cache because everything is encrypted. They just forward encrypted information. Think of them as a special type of router that handles only HTTPS requests. Regular IP routers can't do anything like what is described in the article to HTTPS transmissions. The difference is that HTTP proxies are supposed to cache data; since it is unencrypted, they can do that. The proxies in the article somehow messed up in their caching duties.

  32. Rates? by sjames · · Score: 1

    So, AT&T, tell us again what makes your service worth those outrageous rates? It seems you can't even assure that you won't deliver my data to a complete stranger.

  33. Something similar happened to me in 2005 by JNSL · · Score: 1

    In the fall of 2005, I was in a computer lab in Italy. There were probably 10 or 12 desktop stations. We'd often have trouble with our sessions temporarily crossing. So I'd be on Facebook and then all of a sudden somebody else's profile would show up when I'd click a link to my profile. Similarly, this would happen to other people. We couldn't make any changes - a single click to a new page would take us back to our account. Facebook was a very different operation back then, but I always assumed it was the network admins who were at fault.

  34. Re:This makes no sense... by apraetor · · Score: 1

    Timing isn't everything. Alice and Bob also would've needed to have selected the same source-port for the last message they sent, or else the swapped replies would've been ignored.

  35. Re:This makes no sense... by Zero__Kelvin · · Score: 1

    Great, now you've leaked their names ...

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  36. Facebook also screwed up here with their auth! by freaker_TuC · · Score: 1

    The Sawyers experienced a different glitch. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information -- including the user name that Facebook members would enter to access their pages. Coe said technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.

    I cannot understand why Facebook didn't add the ip address to the hash of the login; making it impossible to use the same cookie with another IP address.
    I simply cannot understand. I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.

    I'd think BOTH are in error; facebook for having ratsass security and the phone company of making this possible.

    Makes one wonder too; how safe we really are for MITM attacks; looking to this case...

    --
    --- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
    1. Re:Facebook also screwed up here with their auth! by jc42 · · Score: 1

      I even think mobiles generate their own UNIQUE identification code which can be used too for the mobile version of facebook.

      So where might my code find this?

      I just checked what my apache server tells a CGI program of mine when I connect from my cell phone. The only ID string I see is

      HTTP_USER_AGENT: "Mozilla/5.0 (Linux; U; Android 1.6; en-us; T-Mobile G1 Build/DRC83) AppleWebKit/528.5+ (KHTML, like Gecko) Version/3.1.2 Mobile Safari/525.20.1"

      I can easily tell what kind of phone this is. So can my code, which sends the "Mobile" version of pages to my phone. (That's what I'm testing, actually.) But I don't find anything passed telling my code which of the millions of G1 phones this is. I also tested it with my wife's iPhone, and found the same things. My code gets a HTTP_USER_AGENT string that contains "iPhone", but nothing like a serial number or other unique identifier anywhere.

      IP address doesn't work. Sometimes they both send the same IP address. OTOH, successive requests from either of them often come in from different IP addresses. These addresses are presumably associated with several nearby cell towers that our phones can "see". During the last few minutes, the only address I saw from them was 208.54.90.77 (m4d5a36d0.tmodns.net), but both get several other addresses at other times.

      So if there are several iPhones or G1 phones all contacting my server at about the same time, how would my code tell them apart? Do you have a link to a page that explains how to do this?

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  37. Re:"Informative"? That's stupid and you're stupid. by samkass · · Score: 1

    If what you said was remotely true, none of the buttons or links would work. Dur.

    Not true. The links and buttons simply take you to other URLs which would also have gotten cached by the caching proxy server. (The friends page on facebook is "http://www.facebook.com/friends", which is just another URL to cache.)

    Dur indeed.

    --
    E pluribus unum
  38. The Moral of the Story: by dugrrr · · Score: 1

    Click the damn "logout" link to end the session.

  39. Telecom Question by dugrrr · · Score: 1

    I know that cell calls use (or used to use) a form of security that involved constantly rotating calls from channel to channel (or whatever the terms are). Does data access work in this way whereas AT&T just handed over an open session (possibly from a dropped 'call')?

  40. This quote rocks by Nyder · · Score: 1

    ...
    "I thought it was the phone -- `Maybe this phone is just weird and does magical, horrible things and I have to get rid of it,'" said Candace Sawyer. ...

    --
    Be seeing you...
  41. new Facebook exploit available for CEO's? :S by freaker_TuC · · Score: 1

    do these things remember cookies ?
    As soon as that's possible, an unique id can be assigned ...
    Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.

    I've seen earlier some entries from Perl code around cpan about mobile authentication, possibly with a few brands only; but cannot remember the right module anymore. There is some Ericsson code available through the web.

    I wonder if this "bug" is also possible through Facebook Connect, because that would mean an extreme privacy risk for users behind a company proxy!

    --
    --- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
    1. Re:new Facebook exploit available for CEO's? :S by jc42 · · Score: 1

      do these things remember cookies ?

      The browser on my G1 has an explicit "Accept cookies" setting, so the answer is "sometimes". ;-) This is, of course, typical behavior in most browsers. There's also the usual "Clear all cookie data" item in the Settings menu. But it does mean that you can't simply rely on cookies working. As with things like javascript, the person running the browser can disable cookies.

      Add to the mix the useragent, ip, proxy info and (hash of an) internal identifier == unique id.

      Or you could do as I've seen some sites do, and which I've done on occasion: Generate a unique "session id" which is passed to the client in various ways such as a "hidden" input variable or as part of URLs in links, to be passed back to the server in subsequent requests. This is no more difficult than a cookie to spoof by a man-in-the-middle such as an ISP.

      But that's where https comes in ...

      --
      Those who do study history are doomed to stand helplessly by while everyone else repeats it.
  42. It's not about safest but by freaker_TuC · · Score: 1

    This is no more difficult than a cookie to spoof by a man-in-the-middle such as an ISP.

    If the IP and other environment variables are passed together with that id; it would be "more" locked to location and client.

    For facebook with it's own security gateway (Facebook Connect), I've been expecting this session id to be at least that secure ...

    --
    --- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
  43. Re:This makes no sense... by Ungrounded+Lightning · · Score: 1

    Great, now you've leaked their names ...

    Ho ho! B-)

    (For those not familiar with academic crypto-speak: "Alice" and "Bob" are typically used rather than "user A" and "user B" for describing a communications security scenario. Usually Alice and Bob are the communicating parties but in this case I've (mis)used them for two people trying to communicate with Facebook nearly simultaneously. Another such name is "Eve", the canonical eavesdropper.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  44. Re:This makes no sense... by Zero__Kelvin · · Score: 1

    "(For those not familiar with academic crypto-speak: "Alice" and "Bob" are typically used rather than "user A" and "user B" ... Another such name is "Eve", the canonical eavesdropper.)

    Right. Also there is Cathy and Dave, but you never hear about them because they are Clueless and Disinterested ;-)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun