Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Glitch Connects Users To Wrong Accounts

Posted by Soulskill on from the reach-out-and-touch-some-one-at-random dept.

CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"

4 of 138 comments (clear)

  1. Re:But... what? by MtHuurne · · Score: 5, Insightful

    I don't know how Facebook does it specifically, but many sites will give the user a session cookie after entering his/her username and password. All further requests use that session cookie to identify the user. It sounds like a proxy at AT&T served a cached response belonging to someone else and that included a session cookie that was still valid (not logged out or expired).

    It may be a bug in the proxy or a bug in the HTTP headers set by Facebook that instruct how a response should be cached. It does show that it is a good idea to use HTTPS when accessing private data, not just for banking. If the site does not offer HTTPS, it is good practice to log out when you're done, so that the server will invalidate the session cookie.

  2. Caching by nOw2 · · Score: 5, Interesting

    I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.

    I am specifically talking of the horror that is Microsoft's ISA server.

    At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.

  3. Re:But... what? by mother_reincarnated · · Score: 5, Insightful

    What is almost certainly happening is that AT&T is using a proxy which implements HTTP Pipelining, but is screwing up and not correctly pairing the requests/responses from different sessions. It's probably just more likely to happen on a site like Facebook where many many users on the same proxy are going to the same non HTTPS site...

  4. Re:But... what? by samkass · · Score: 5, Informative

    My guess is that it's as simple as this: the http returned by a request to "www.facebook.com" was cached by AT&T and delivered to other users who attempted to fetch that URL in an attempt to save bandwidth. The login credentials are irrelevant... once AT&T cached the page it thought of as "www.facebook.com" it would deliver it to anyone who asked for that URL. It probably only changed for the next person because someone insisted on logging out and back in, and the caching server detected the change then re-cached the NEW user's page.

    This used to happen a lot on the internet to unencrypted streams that allowed log-ins. These days most caching servers are properly configured, but it's still an easy mistake to make if you're setting up a caching proxy.

    --
    E pluribus unum