Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Glitch Connects Users To Wrong Accounts

Posted by Soulskill on from the reach-out-and-touch-some-one-at-random dept.

CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"

14 of 138 comments (clear)

  1. How half of all customer support calls begin by jarocho · · Score: 4, Funny

    Quote from the article:

    "I thought it was the phone -- 'Maybe this phone is just weird and does magical, horrible things and I have to get rid of it...'"

  2. Good thing that Gmail is all https now by rolfwind · · Score: 4, Insightful

    Probably will take Yahoo only another 15 years to catch up. Wish all other services with even a small chance of transmitting private data would do the same. Even if they charged for it (i.e. a premium account).

  3. Re:But... what? by nate_in_ME · · Score: 3, Insightful

    I'm guessing what happened in this case is that AT&T had other users who had logged into their Facebook accounts as well, and after logging in, the wires essentially got crossed, and the wrong Facebook data got sent to each handset.

  4. Re:But... what? by MtHuurne · · Score: 5, Insightful

    I don't know how Facebook does it specifically, but many sites will give the user a session cookie after entering his/her username and password. All further requests use that session cookie to identify the user. It sounds like a proxy at AT&T served a cached response belonging to someone else and that included a session cookie that was still valid (not logged out or expired).

    It may be a bug in the proxy or a bug in the HTTP headers set by Facebook that instruct how a response should be cached. It does show that it is a good idea to use HTTPS when accessing private data, not just for banking. If the site does not offer HTTPS, it is good practice to log out when you're done, so that the server will invalidate the session cookie.

  5. Re:But... what? by bondsbw · · Score: 3, Insightful

    That's my thought... but I still don't see how things like this get "crossed". Even if your IP address got switched with another during a request, at most I would expect you to wind up is receiving one page. When you load the next page, or make the next AJAX request, you wouldn't have the session cookie and it would kick you back to the login screen.

    Unless of course Facebook sends the auth cookie in every response, or the "wires" got crossed just when the other person was making a login request.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  6. Re:But... what? by something_wicked_thi · · Score: 4, Informative

    Yes, but typically, the way you log in to one of these services requires that you have cookies enabled. There's a cookie in your local browser that has information derived from your password. For example, imagine facebook stores your password in its database as a sha1 hash of a salt and your password. E.g. the entry facebook has stored might look like this:

    salt = string(rand64())
    password_hash = sha1(salt + password)

    Now, to authenticate, you send facebook your password and they use the saved salt to see if it matches the stored sha1 hash. What they send you back would be a token to put into your cookie like this:

    token = (date, username, sha1(password_hash + date))

    Now, they make the token good only for a certain amount of time after the date. Say three hours. When facebook gets another request, it checks to see if the token is valid by comparing the date and username and then looking up the password hash for that username. It then recomputes the sha1 hash in the token to make sure it's valid.

    Using this model, it's completely impossible to log in to another account by "switching the wires". You can log in to an account simply by stealing the cookie, but that grants you log in access for only a single session.

  7. Caching by nOw2 · · Score: 5, Interesting

    I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.

    I am specifically talking of the horror that is Microsoft's ISA server.

    At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.

  8. Re:But... what? by mother_reincarnated · · Score: 5, Insightful

    What is almost certainly happening is that AT&T is using a proxy which implements HTTP Pipelining, but is screwing up and not correctly pairing the requests/responses from different sessions. It's probably just more likely to happen on a site like Facebook where many many users on the same proxy are going to the same non HTTPS site...

  9. Re:But... what? by samkass · · Score: 5, Informative

    My guess is that it's as simple as this: the http returned by a request to "www.facebook.com" was cached by AT&T and delivered to other users who attempted to fetch that URL in an attempt to save bandwidth. The login credentials are irrelevant... once AT&T cached the page it thought of as "www.facebook.com" it would deliver it to anyone who asked for that URL. It probably only changed for the next person because someone insisted on logging out and back in, and the caching server detected the change then re-cached the NEW user's page.

    This used to happen a lot on the internet to unencrypted streams that allowed log-ins. These days most caching servers are properly configured, but it's still an easy mistake to make if you're setting up a caching proxy.

    --
    E pluribus unum
  10. The feeling is mutual by lildogie · · Score: 3, Funny

    She ought to consider how the phone is probably feeling the same way about its user.

  11. Hardly new in end effect... by shoppa · · Score: 4, Interesting

    The article says:

    Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else.

    But I, as a just random user of some commercial (read: mail-order, telephone company, etc.) websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. In these cases the cause seems to have been non-unique cookies although that is purely a guess, maybe indeed there was some hijacking going on at the network level.

    Some of these websites were supposedly "https" but some inspection of HTML source revealed this was just the frame, the actual information was frequently in non-secure inner frames. Poked around a tiny little bit and found that by altering the URL's in those frames I could see arbitrary customer's account info.

    I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.

  12. CLEARLY a web proxy problem... by nweaver · · Score: 3, Insightful

    On the IP layer, this wouldn't happen, because there are cookies contained in the web traffic that are used to route things on the Facebook end, simply because there are NATS and the like.

    Thus the problem is whatever in-path HTTP proxy AT&T is using for their phones that crossed things over.

    In-path HTTP proxies and caches can be very hard to find and may produce all sorts of interesting subtle problems when there are bugs in them.

    --
    Test your net with Netalyzr
  13. Re:This makes no sense... by Ungrounded+Lightning · · Score: 3, Interesting

    How in the World can this be AT&T's fault ...

    1) Alice and Bob are both logging in to facebook. They send the last message of the login at nearly the same time.
    2) Facebook
    3) AT&T gives Alice's cookie to Bob. (Several ways to do this.)
    4) Because Bob's browser was expecting the reply with the cookie from Facebook it accepts it and continues with the login step. Except for having the wrong cookie everything is as it should be.
    5) Bob's transactions are marked with Alice's cookie until he logs out, logs in again, or the session expires. He's logged in as Alice.

    If you read the fine article, one of the examples is exactly that. In step 3) "Bob" and "Alice" had their replies-with-cookie swapped so they each ended logged in as the other.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  14. Re:But... what? by mysidia · · Score: 4, Insightful

    No, it still doesn't make any sense. If you made a port 80 request to the web site, your phone has to pick a SOURCE PORT to establish the TCP socket.

    Someone else requesting a page would have a different Source IP Address and a different source port.

    So if you suddenly got their IP address, your phone's TCP stack should drop the packet.

    Something is amiss... I think they're intercepting your request with a transparent HTTP proxy (or something like that), and a bug in the proxy server sent the response to the wrong user.

    Oh, and by the way.. how session cookies work.... a new cookie gets sent to the browser with every HTTP request, most likely, to extend their session (e.g. time-out idle period extended by issuing a new cookie).