Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

AT&T Glitch Connects Users To Wrong Accounts

Soulskill posted more than 4 years ago | from the reach-out-and-touch-some-one-at-random dept.

Security 138

CAE guy writes "The Boston Globe is carrying an AP report which begins: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"

cancel ×

138 comments

Sorry! There are no comments related to the filter you selected.

But... what? (2, Informative)

i_ate_god (899684) | more than 4 years ago | (#30790330)

Facebook login information is stored on the phone, is it not?

Re:But... what? (3, Insightful)

nate_in_ME (1281156) | more than 4 years ago | (#30790430)

I'm guessing what happened in this case is that AT&T had other users who had logged into their Facebook accounts as well, and after logging in, the wires essentially got crossed, and the wrong Facebook data got sent to each handset.

Re:But... what? (3, Insightful)

bondsbw (888959) | more than 4 years ago | (#30790512)

That's my thought... but I still don't see how things like this get "crossed". Even if your IP address got switched with another during a request, at most I would expect you to wind up is receiving one page. When you load the next page, or make the next AJAX request, you wouldn't have the session cookie and it would kick you back to the login screen.

Unless of course Facebook sends the auth cookie in every response, or the "wires" got crossed just when the other person was making a login request.

Re:But... what? (0)

Anonymous Coward | more than 4 years ago | (#30790582)

To save cost, phone companies tend to use a single IP-address for many phones at the same time. This is possible by doing some form of NAT, but if they don't do it properly and the authentication is depending on this, then things like this are possible.
It would be very difficult to do when the connection is actually encrypted, since the encryption keys are only exchanged once, and that exchange is designed to make sure only the correct parties end up with the keys.

Re:But... what? (1)

something_wicked_thi (918168) | more than 4 years ago | (#30791278)

I would find it very unlikely that the auth servers care about NAT. Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.

Most likely, as another user has pointed out, it's a proxy disobeying the cache headers in the responses to Facebook's pages. It's also possible that Facebook is setting these headers incorrectly, though that seems less likely. There have also been reports of session cookies going to the wrong machines, which means that there may be multiple problems here (or those reports are crap).

Re:But... what? (2, Informative)

jc42 (318812) | more than 4 years ago | (#30792864)

Putting the IP address in the session cookie is a recipe for disaster considering how widespread NAT, dynamic IPs, and proxies are.

Some recent testing of web sites on the iPhone and G1 phone have also shown that using the client's IP address as part of the "session" information simply doesn't work. With both of these phones, successive HTTP requests from a single phone often come from different IP addresses. In the tests I did, the set of IP addresses was small (2 to 4), and I suspect that it might have something to do with being in contact with several cell towers. The phones appear to be "NATted" behind several different addresses. So from the client's viewpoint, a session that depends on the IP address appears to work intermittently.

It's yet another argument in favor of IPv6, except that the phone companies and ISPs don't seem to be at all interested in going that way.

Re:But... what? (1)

BrokenHalo (565198) | more than 4 years ago | (#30791464)

To save cost, phone companies tend to use a single IP-address for many phones at the same time.

Holy shit. That makes me glad I persist in using a comparatively "dumb" but very robust phone (a Motorola Razr2 V9), since the majority of my contacts don't function in realms beyond voice calls and SMS.

I find it decidedly scary that people are so happy to conduct critical (e.g. banking) transactions via a device which by its highly stealable nature (if nothing else) is so obviously not secure. I have no objection to being able to call up the occasional map or wikipedia entry on my phone (which I can), but I prefer to use a "real" computer, since I don't care for straining my comparatively poor eyesight on handheld devices or dealing with poor text entry methods. I have yet to be convinced that the "there's an app for that" gimmmick will stand the test of time.

Re:But... what? (4, Insightful)

mysidia (191772) | more than 4 years ago | (#30792780)

No, it still doesn't make any sense. If you made a port 80 request to the web site, your phone has to pick a SOURCE PORT to establish the TCP socket.

Someone else requesting a page would have a different Source IP Address and a different source port.

So if you suddenly got their IP address, your phone's TCP stack should drop the packet.

Something is amiss... I think they're intercepting your request with a transparent HTTP proxy (or something like that), and a bug in the proxy server sent the response to the wrong user.

Oh, and by the way.. how session cookies work.... a new cookie gets sent to the browser with every HTTP request, most likely, to extend their session (e.g. time-out idle period extended by issuing a new cookie).

Re:But... what? (1)

clang_jangle (975789) | more than 4 years ago | (#30790530)

It's really not that unusual. If you log in at amazon.com (or lots of other places) you see the "logged in as $name", and right near that a link that says, "not $name? log out". I remember once I went to some site and was logged in as someone else, but that was back in 1998...

Re:But... what? (1)

richlv (778496) | more than 4 years ago | (#30790694)

that's actually something completely different - it's meant for cases when somebody else has logged in using the same browser before (and thus cookies claim that person is still logged in)

Re:But... what? (1)

clang_jangle (975789) | more than 4 years ago | (#30790714)

Perhaps, but the one time it happened to me it was on a computer to which only I had physical access.

Re:But... what? (2, Funny)

coolgeek (140561) | more than 4 years ago | (#30792144)

Apparently not.

Re:But... what? (4, Informative)

something_wicked_thi (918168) | more than 4 years ago | (#30790536)

Yes, but typically, the way you log in to one of these services requires that you have cookies enabled. There's a cookie in your local browser that has information derived from your password. For example, imagine facebook stores your password in its database as a sha1 hash of a salt and your password. E.g. the entry facebook has stored might look like this:

salt = string(rand64())
password_hash = sha1(salt + password)

Now, to authenticate, you send facebook your password and they use the saved salt to see if it matches the stored sha1 hash. What they send you back would be a token to put into your cookie like this:

token = (date, username, sha1(password_hash + date))

Now, they make the token good only for a certain amount of time after the date. Say three hours. When facebook gets another request, it checks to see if the token is valid by comparing the date and username and then looking up the password hash for that username. It then recomputes the sha1 hash in the token to make sure it's valid.

Using this model, it's completely impossible to log in to another account by "switching the wires". You can log in to an account simply by stealing the cookie, but that grants you log in access for only a single session.

Re:But... what? (1)

TheRaven64 (641858) | more than 4 years ago | (#30790802)

It depends on what they mean by 'switching the wires'. There's nothing magic about cookies. They are just short strings that are sent with every HTTP request and response. A misconfigured HTTP proxy may forget to take them into account or ignore the nocache commands, so when you got to a URL you get back whatever the last person saw, irrespective of the fact that the cookie is different.

That's why you use end-to-end encryption for anything that contains personal information.

Re:But... what? (1)

something_wicked_thi (918168) | more than 4 years ago | (#30791130)

The "magic" about cookies is that they are stored in your browser. Therefore, once you've got your cookie, no amount of "wire switching" is going to give that cookie to someone else.

What could happen is that the response to the login session goes to the wrong browser, but that seems a lot less likely since you'd need two sessions logging in simultaneously.

Yes, it's possible that it's a cache control header being ignored by a proxy, in which case the site would most likely be read-only.

Re:But... what? (1)

something_wicked_thi (918168) | more than 4 years ago | (#30791204)

Replying to myself:

It seems that maybe it is that unlikely scenario. If you go to the second page of TFA:

The Sawyers experienced a different glitch. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information -- including the user name that Facebook members would enter to access their pages. Coe said technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.

I don't know how you can misconfigure a proxy that badly, but leave it to AT&T, I guess.

Re:But... what? (1)

coolgeek (140561) | more than 4 years ago | (#30792184)

A misconfigured proxy server (or web application with a front-end proxy that doesn't setup the Cache-Control header properly, for that matter) will store the cookies that were sent by the application server, and send copies of the same cookies along to the next requestor.

So, you go to the page http://facebook.com/profile [facebook.com] (for example, I'm not a fb user), your browser sends your cookie because you logged in yesterday, the application server sends the cookie back in the response. Then I come along, not logged in, go to http://facebook.com/profile [facebook.com] , my browser sends no cookie. The request is intercepted by the proxy server, never forwarded to facebook, and the proxy gives me your profile page and your cookie. Then I'm in on your account. When I go to change your password or change your status to "dolphin fucker", it goes via a POST request, so the proxy doesn't intercept, but my browser is now sending your cookie, so it works.

Re:But... what? (1)

Wannabe Code Monkey (638617) | more than 4 years ago | (#30791028)

There's a cookie in your local browser that has information derived from your password.

Why would the cookie have to be derived from your password? Isn't that generally a bad idea? I thought most web sites generated a completely random token for your cookie when you log in. On their end, they associate that random token with an authenticated session. They don't need the user to have any actual information in the cookie, just a unique ID that they can use to look up data on their end.

Re:But... what? (1)

something_wicked_thi (918168) | more than 4 years ago | (#30791138)

A strong hash of your password is, for all intents, random. The point of a hash is that it's very hard to go from the hash back to the input string to the hash.

Re:But... what? (1)

coolgeek (140561) | more than 4 years ago | (#30792212)

Yes, it is a generally bad idea. The use of any constant or predictable value in a cookie used for maintaining a session is a bad idea. You want the value to rotate periodically to a new value to defend against someone copying cookies off of another person's computer.

Re:But... what? (0)

Anonymous Coward | more than 4 years ago | (#30791238)

It seems to me that switching the wires means that the HTTP responses you're getting back are responses that are intended for another party. ie. it doesn't matter what *your* cookies are because it's not your cookies that are producing the page - it's someone else's cookies.

The only real way to fix this would be to use https. If the responses get switched then neither you or the person whose response it was switched out with would be able to decrypt it as the symmetric key both parties would have (and that was generated through diffie-hellman key exchange or whatever) would not work on the response data.

Re:But... what? (1)

something_wicked_thi (918168) | more than 4 years ago | (#30791412)

I read it as two sessions getting switched. I don't think of a proxy cache mixup as wires getting crossed, even though there apparently were two users who claim they got switched in just this fashion.

Funny coincidence considering gmail just switched to SSL a few days ago.

Re:But... what? (0)

Anonymous Coward | more than 4 years ago | (#30791438)

I'm 100% certain they don't hash the password for the token. They simply generate a random token and store it in a database somewhere.

However, your browser doesn't magically know what that token is. The server has to tell the client what cookies to store and send back later.

If the server (or att in this case) sends the page, including the header that sets the cookie, to the wrong user, that user has control of the session for as long as the cookie is valid.

It isn't limited to login since the cookie expiration time is updated fairly frequently (perhaps every page).

Re:But... what? (1)

something_wicked_thi (918168) | more than 4 years ago | (#30791624)

I'm 100% certain they don't hash the password for the token. They simply generate a random token and store it in a database somewhere.

I have no inside knowledge. But that way works equally well as long as you are running a stateful service, anyway.

If the server (or att in this case) sends the page, including the header that sets the cookie, to the wrong user, that user has control of the session for as long as the cookie is valid.

That is an extremely unlikely scenario, though it did appear to happen once, according to one claim. That's because even a really stupid proxy won't include the cookie headers when caching pages.

It isn't limited to login since the cookie expiration time is updated fairly frequently (perhaps every page).

No, facebook's login cookie is set to expire at the end of the session, and if all the state is server side, as you say, then there's never any reason to change it.

Re:But... what? (0)

Anonymous Coward | more than 4 years ago | (#30792116)

What this guy is saying [blogspot.com] .. could that be correct? How does that match with what the parent is saying?

Re:But... what? (1)

jabbathewocket (1601791) | more than 4 years ago | (#30792234)

No its not because your presumption is false.. Lemme explain how it works in laymans terms.. user A (me) logs in like normal to facebook.. at the same time user B also logs in.. .. the important factoid here is we are BOTH logging in from computers with absolutely legit credentials IE there is not a single solitary security method that will fix this problem.. because The ISP's servers are trying to cache responses from the servers before passing them on to users.. So when ATT's server decides to send user B's data to me.. I am still logged in to my own account etc.. its the ISP that is transposing the data returned by the website to the wrong terminal.. which in turn ends up validating our logins for each others sessions. Because ... the isp's caching responded with the right credentials, now the "seed" you spoke of, is sitting on the other guys computer and on my computer as its a 2 way street.. and we can effectively maintain this logged in to wrong account state until the original sites "force you to log in again" which on many sites could be never or several weeks later

Re:But... what? (5, Insightful)

mother_reincarnated (1099781) | more than 4 years ago | (#30790610)

What is almost certainly happening is that AT&T is using a proxy which implements HTTP Pipelining, but is screwing up and not correctly pairing the requests/responses from different sessions. It's probably just more likely to happen on a site like Facebook where many many users on the same proxy are going to the same non HTTPS site...

Re:But... what? (5, Informative)

samkass (174571) | more than 4 years ago | (#30790622)

My guess is that it's as simple as this: the http returned by a request to "www.facebook.com" was cached by AT&T and delivered to other users who attempted to fetch that URL in an attempt to save bandwidth. The login credentials are irrelevant... once AT&T cached the page it thought of as "www.facebook.com" it would deliver it to anyone who asked for that URL. It probably only changed for the next person because someone insisted on logging out and back in, and the caching server detected the change then re-cached the NEW user's page.

This used to happen a lot on the internet to unencrypted streams that allowed log-ins. These days most caching servers are properly configured, but it's still an easy mistake to make if you're setting up a caching proxy.

There are still a lot of bad caches... (2, Insightful)

nweaver (113078) | more than 4 years ago | (#30790828)

Bad in-path caches are something we specifically check for on Netalyzr. Its suprising the number of BAD in-path caches still exist, which cache data that the HTTP server said "for the love of god, don't cache".

More, what has happened is that bandwidth has gotten cheap, so fewer people are DOING caches, and when they are caching, its more likely for latency not bandwidth savings (eg, we see a lot of caching for users from South Africa).

Re:But... what? (0)

Anonymous Coward | more than 4 years ago | (#30790976)

If that is the case, it may mean that Facebook is at fault, too: The web server is supposed to indicate which headers are influence the result of a request by setting the "vary" HTTP-header appropriately. For example, the accept-language header can be used by a server to determine the language of the page to return. If a cache doesn't know about that, it may return a Spanish page from a previous request by someone with an "accept-language: es" to someone who requests the same page with an "accept-language: en" header and only understands English. Many caches use heuristics, such as not caching documents with "?", i.e. parameters, in the URL. These heuristics may be insufficient in the presence of search-engine optimized URLs (which often avoid URL parameters in favor of path elements).

"Informative"? That's stupid and you're stupid. (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30792728)

Then how come they were logged into the accounts properly and doing things like sending mails to their real accounts or checking out the friends lists? Where would all the cached pages with their new activity come from, idiot?

If what you said was remotely true, none of the buttons or links would work. Dur.

Re:But... what? (5, Insightful)

MtHuurne (602934) | more than 4 years ago | (#30790508)

I don't know how Facebook does it specifically, but many sites will give the user a session cookie after entering his/her username and password. All further requests use that session cookie to identify the user. It sounds like a proxy at AT&T served a cached response belonging to someone else and that included a session cookie that was still valid (not logged out or expired).

It may be a bug in the proxy or a bug in the HTTP headers set by Facebook that instruct how a response should be cached. It does show that it is a good idea to use HTTPS when accessing private data, not just for banking. If the site does not offer HTTPS, it is good practice to log out when you're done, so that the server will invalidate the session cookie.

Almost certainly (2, Interesting)

dereference (875531) | more than 4 years ago | (#30790678)

I have no inside details on AT&T or Facebook, but what you've described is almost certainly the problem. AT&T very likely use fairly aggressive caching proxies, especially lately to help mitigate their infamous capacity issues. I'd say that what happened here is pages are being cached without proper regard for cookies. That's fine for sites that don't have custom accounts, and only use cookies for tracking various page view statistics. But Facebook (like nearly every other site in the world that requires a login) issues a cookie to identify you, once you've entered your credentials. So that cookie is how the server knows it's you, and not somebody else. If AT&T's forward caching proxies ignore this cookie, and just give you the most recent page served from Facebook, you're sure to hijack somebody else's session. And, since your first request sends your new credentials, the person you've hijacked (if still online) will now have passively hijacked your session, explaining the last scenario from TFA where sessions appeared to have been swapped.

Re:But... what? (2, Insightful)

Bob9113 (14996) | more than 4 years ago | (#30790760)

If the site does not offer HTTPS, it is good practice to assume the information you store there is not secure.

Fixed that for you. Data sent in the clear is not secure.

From this we can make another logical step: Therefore this is not a security issue. Data which is not secure cannot have a security issue. It is already public.

HTTPS won't necessarily fix this! (0)

mcrbids (148650) | more than 4 years ago | (#30792008)

It's true that the HTTPS protocol would have prevented this, but it can only prevent this type of activity within the https connection! There's no reason why AT&T wouldn't have the phones set up to use an HTTPS proxy - meaning that the connection between the phone and the proxy is like any other http proxy, and the proxy server then initiates the HTTPS connection!

Take a look in your browser settings for "HTTPS proxy", virtually all browsers support this type of behavior, and if AT&T was "aggressively caching" content in order to improve their well-known performance limits, then they almost certainly would have done this, too, and thus HTTPS would have offered no protection at all from this type of bug.

Funny how often well-designed protocols by well-intentioned modifications that bring the who system to its knees, no?

Re:HTTPS won't necessarily fix this! (1)

Bob9113 (14996) | more than 4 years ago | (#30792396)

Using an untrusted proxy (and I assume you don't trust some third party corporation whose contract with you essentially says "all your base are belong to us") to handle your SSL connections is the same as not using SSL.

Re:But... what? (1)

mdwh2 (535323) | more than 4 years ago | (#30792170)

Data which is not secure cannot have a security issue. It is already public.

I'm not sure you mean that, that's a circular definition - anything with a security hole means the data isn't secure, which by your definition means it's not a security issue. Therefore security issues can never exist?

Re:But... what? (1)

Bob9113 (14996) | more than 4 years ago | (#30792414)

Surely you troll, or are you simply being facetious? You must be capable of comprehending that my implication was that if you are intentionally using an insecure channel, considering the data which you send through that channel to be secure is folly. Please, do us all a favor, and attempt to grasp the intent without assuming that the poster is retarded. This community, including myself, deserves better.

Re:But... what? (1)

mdwh2 (535323) | more than 4 years ago | (#30792542)

Someone got out of bed the wrong side today! Please, do us all a favor, and attempt to grasp my intent. This community, including myself, deserves better.

Yes, I'm sure you didn't mean that - but then what on earth did you mean? Ah, now you retreat to:

if you are intentionally using an insecure channel, considering the data which you send through that channel to be secure is folly.

Now let's look at what the person you replied to say:

If the site does not offer HTTPS, it is good practice to assume the information you store there is not secure.

In other words, the same bleeding thing as you're now saying! (Or if anything, the original statement was broader, as it doesn't require intent, and includes people who aren't aware of the differences.) So in that case, what were your additional two points about, if they (a) weren't what I read them as, and (b) they were stronger than what the OP was saying?

Re:But... what? (1)

kaini (1435765) | more than 4 years ago | (#30792632)

MOOOOOM! there's two old men fighting on the lawn!

Re:But... what? (1)

zten (576209) | more than 4 years ago | (#30791960)

I've used m.facebook.com on AT&T across different phones while using my account's SIM card without having to log in again.

nsa account ftw! (-1, Troll)

daveb1 (1678608) | more than 4 years ago | (#30790332)

oooo im on as the nsa ooo pretty!

It's not a GLITCH! It's AUTOMATIC HACKING! (1, Funny)

Anonymous Coward | more than 4 years ago | (#30790354)

It's a feature, NOT a flaw.

Re:It's not a GLITCH! It's AUTOMATIC HACKING! (0)

Anonymous Coward | more than 4 years ago | (#30790608)

CALEA application? Obviously in this case its use would be accidental, but doesn't CALEA give law enforcement the ability to "ghost" sessions like this?

can you hear me now? (0)

Anonymous Coward | more than 4 years ago | (#30790360)

Can you hear me now? Maybe. Can I see all your private information? Yes!

How half of all customer support calls begin (4, Funny)

jarocho (1617799) | more than 4 years ago | (#30790374)

Quote from the article:

"I thought it was the phone -- 'Maybe this phone is just weird and does magical, horrible things and I have to get rid of it...'"

The feeling is mutual (3, Funny)

lildogie (54998) | more than 4 years ago | (#30790634)

She ought to consider how the phone is probably feeling the same way about its user.

Re:How half of all customer support calls begin (1, Funny)

Anonymous Coward | more than 4 years ago | (#30790676)

Well, do you have any proof that it's not a magical phone???

Re:How half of all customer support calls begin (1)

Agent ME (1411269) | more than 4 years ago | (#30792146)

If you had a phone that did magical things, why would your first response be to get rid of it?

the american response (2, Funny)

anonieuweling (536832) | more than 4 years ago | (#30790406)

should be:

SUE the hell out of them.

Re:the american response (1)

Stargoat (658863) | more than 4 years ago | (#30790518)

No no. The American response is:

Class action lawsuit.

Good thing that Gmail is all https now (4, Insightful)

rolfwind (528248) | more than 4 years ago | (#30790426)

Probably will take Yahoo only another 15 years to catch up. Wish all other services with even a small chance of transmitting private data would do the same. Even if they charged for it (i.e. a premium account).

Re:Good thing that Gmail is all https now (2, Informative)

XPeter (1429763) | more than 4 years ago | (#30790474)

Gmail has supported HTTPS since it's release, only now are they making it standardized.

Re:Good thing that Gmail is all https now (2, Insightful)

rolfwind (528248) | more than 4 years ago | (#30790542)

Perhaps, one good thing about it being standardized is that if I send to someone on that service, I also know if's a bit more secure. (Although, if you're telling secrets to another human, there really isn't any hope of it staying one...)

Re:Good thing that Gmail is all https now (1)

XPeter (1429763) | more than 4 years ago | (#30790560)

(Although, if you're telling secrets to another human, there really isn't any hope of it staying one...)

Score:5, Truth.

Re:Good thing that Gmail is all https now (1)

coolgeek (140561) | more than 4 years ago | (#30792254)

Perhaps, one good thing about it being standardized is that if I send to someone on that service, I also know if's a bit more secure.

Except you're suggesting a browser-based email service, so all bets are off once the next browser vulnerability is discovered.

Re:Good thing that Gmail is all https now (1)

tsa (15680) | more than 4 years ago | (#30790644)

its

Re:Good thing that Gmail is all https now (1)

The Wild Norseman (1404891) | more than 4 years ago | (#30790698)

something that I was wondering about for a long ti... hey! Why am I suddenly finishing this sentence under someone else's account? I'm tsa dammit! Who the hell is The Wild Norseman anyway?!?

Re:Good thing that Gmail is all https now (1)

Just Brew It! (636086) | more than 4 years ago | (#30790916)

Seems to me that the only reason https has not become more widespread already is the computational load it places on web servers and browsers, due to the encryption. Given that even mobile devices now have more CPU horsepower than a desktop system from the early days of the Web, it is high time that we move anything that involves even marginally sensitive data to a secure protocol.

Re:Good thing that Gmail is all https now (1)

BrokenHalo (565198) | more than 4 years ago | (#30791544)

Given that even mobile devices now have more CPU horsepower than a desktop system from the early days of the Web...

True, but don't forget that an iPhone can only do one... thing... at... a... time.

Article Comments (1)

Aldenissin (976329) | more than 4 years ago | (#30790446)

Reading the article's comments (Ya, I know ban me for RTFA lol) the issue appears to be quite widespread, and possibly on Facebook's end. They appear to not sue encryption once you log in, so that is definitely a weakness there. But that "costs" more bandwidth... but if Google can do it and switch to HTTPS... but of course this is email, not public humiliation we are talking about here.

Re:Article Comments (0)

Anonymous Coward | more than 4 years ago | (#30790558)

uh... encryption is usually not a big bandwidth or cpu load generator. Almost of the work is done in generating the session information.

Like others here, I am having a hard time understanding how the network/transport service provider is causing the problem... unless they have some sort of network cache at work. But even then it is hard to understand how this would happen.

Re:Article Comments (0)

Anonymous Coward | more than 4 years ago | (#30790640)

encryption is usually not a big bandwidth or cpu load generator

It's not a bandwidth generator, but it is definitely a load generator. On Linux, compare the speed of sendfile() over non-https connection to a https connection (which can't use sendfile() since it has to process the file for encryption in userspace)

Re:Article Comments (1)

djsmiley (752149) | more than 4 years ago | (#30790972)

It uses more bandwidth due to encrypted data being larger than unencrypted.... think about it (For the transmitter).

It uses more CPU (at the encrypter and decrypter ends).

However for the transmitter, the data is merely larger, its no harder to handle encrypted data than it is to handle unencrypted data.

Re:Article Comments (0)

Anonymous Coward | more than 4 years ago | (#30792782)

Didn't say there wasn't any cpu load/bandwidth increase... just said it wasn't big. Our main concern with SSL and other encryption mechanisms is the session generation capability. After the session connection is set up it is hard to discern encrypted traffic load from non-encrypted. Virtually the same and at least well within the same order of magnitude.

Re:Article Comments (1)

coolgeek (140561) | more than 4 years ago | (#30792266)

unless they have some sort of network cache at work

Like most every ISP in the world, to save bandwidth? Look at your server logs, if you have any. You'll see a lot of different users coming from a single IP address. That's a transparent proxy at their ISP.

Mod parent down (1)

93 Escort Wagon (326346) | more than 4 years ago | (#30792740)

He readily admits to reading the article! Not only the article, but even the comments! We can't have that on Slashdot - we've got to nip this in the bud.

This makes no sense... (0)

Anonymous Coward | more than 4 years ago | (#30790450)

The website handles the login to accounts. The article was saying that folks were logging in via their AT&T cell phones and ending up on others pages. I don't get it, one's phone has their login information, the phone sends the login info to Facebook, Facebook verifies the login information and then lets the user see their stuff. What, is ATT pooling login information to Facebook on one server and doing a lookup when someone wants to log into FB?

How in the World can this be AT&T's fault unless they have some special deal with Facebook and they're the ones sending wrong information to Facebook.

If this is infact AT&T's problem, then that means it could happen to those of us that have AT&T as their ISP and login via their home computers.

Actually, WTF is Facebook doing?!? That is the real question here. How the hell is AT&T mixed up in this?

Re:This makes no sense... (3, Interesting)

Ungrounded Lightning (62228) | more than 4 years ago | (#30791010)

How in the World can this be AT&T's fault ...

1) Alice and Bob are both logging in to facebook. They send the last message of the login at nearly the same time.
2) Facebook
3) AT&T gives Alice's cookie to Bob. (Several ways to do this.)
4) Because Bob's browser was expecting the reply with the cookie from Facebook it accepts it and continues with the login step. Except for having the wrong cookie everything is as it should be.
5) Bob's transactions are marked with Alice's cookie until he logs out, logs in again, or the session expires. He's logged in as Alice.

If you read the fine article, one of the examples is exactly that. In step 3) "Bob" and "Alice" had their replies-with-cookie swapped so they each ended logged in as the other.

Technical details please! (1)

Azureflare (645778) | more than 4 years ago | (#30790568)

Did the session IDs get crossed? This is the only thing I can think of: that the cookie got sent to the wrong handsets, perhaps because they were logging in simultaneously. This would be very worrisome if it were true, as it would not apply to other sites besides facebook, e.g. banking sites.

However, I'm wondering if it may be a problem with the Facebook login system. Perhaps there is something wrong with how they identify a browser who is currently logging in, and they confused handsets on the carrier (since they probably share IPs with other handsets).

More testing needs to be done to determine if this really is an ATT issue, or just a facebook issue. Facebook doesn't exactly have cast-iron, secure code, from my experience.

Also, AJAX can get wonky sometimes if you don't code it right, and facebook relies on a lot of AJAX now.

Re:Technical details please! (1)

Azureflare (645778) | more than 4 years ago | (#30790578)

Correction, first paragraph should end with "as it would apply to other sites besides facebook, e.g. banking sites."

Re:Technical details please! (1)

mother_reincarnated (1099781) | more than 4 years ago | (#30790674)

Very likely could affect other sites, but one would hope they don't man-in-the-middle https.

Re:Technical details please! (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30790870)

The article is poorly written and obviously is a hearsay of technical information loosely translated into something people might read.

The description of the potential scope of the problem (all of the internet, everybody, all of the time) is laughable. Of course if I get a flat tire from a nail, and if nails are used everywhere, then everyone's tires are at risk from nails all of the time. And we should all stay home. Better to find out why that nail was there and if there is someone dropping nails on the road.

Sounds like a bad session cookie, either at Facebook server or loadbalancer. Or perhaps some network cache/proxy that keeps session info. If it was a TCP connection that an IP router went bonkers on then a lot of other session things would go wrong too and packets would drop. Its a complex world we live in so there is always the possibility that something weird and not so wonderful happened.

er.. awaiting better information

Caching (5, Interesting)

nOw2 (1531357) | more than 4 years ago | (#30790574)

I can't say for AT&T or Facebook what happened in this case, but I have seen similar things happening with poor-quality web caching proxies.

I am specifically talking of the horror that is Microsoft's ISA server.

At a previous job at an office powered by an MSDN subscription, there were cases where users would open websites for the first time and find themselves immediately logged in as someone who had already used and logged into that site on a nearby LAN computer.

Cool (1)

Broken scope (973885) | more than 4 years ago | (#30790606)

This happened to me in Virgina a few weeks back. AT&T is my service provider. Promptly logged out so I could get onto mine.

Re:Cool (2, Interesting)

TheRaven64 (641858) | more than 4 years ago | (#30790814)

Wait, let me get this straight:

You used a connection, realised that it had a security hole that was disclosing login information to third parties, and then provided it with your login information.

Re:Cool (0)

Anonymous Coward | more than 4 years ago | (#30791364)

That is why is scope is broken....

sounds like somebody isn't using Cache-Control (0)

Anonymous Coward | more than 4 years ago | (#30790648)

It would be really easy to do this if they used squid or similar and somehow told it to not honor/honour the Cache-Control setting subsequent connections would end up re-using "objects" that were supposed to be private...like cookies.

NAT problem on ATT's WAP gateway? (1)

rkasper (114894) | more than 4 years ago | (#30790652)

Might have been a NAT problem on ATT's WAP gateway.

Re:NAT problem on ATT's WAP gateway? (0)

Anonymous Coward | more than 4 years ago | (#30791076)

I have a gnat problem in my garden gateway.

Hardly new in end effect... (4, Interesting)

shoppa (464619) | more than 4 years ago | (#30790734)

The article says:

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else.

But I, as a just random user of some commercial (read: mail-order, telephone company, etc.) websites have several times over the years requested information about my account and orders - and seen instead somebody else's information. In these cases the cause seems to have been non-unique cookies although that is purely a guess, maybe indeed there was some hijacking going on at the network level.

Some of these websites were supposedly "https" but some inspection of HTML source revealed this was just the frame, the actual information was frequently in non-secure inner frames. Poked around a tiny little bit and found that by altering the URL's in those frames I could see arbitrary customer's account info.

I didn't have the courage to tell anyone - after all, accessing somebody else's account information is a federal crime.

It's not entirely new (1)

anorlunda (311253) | more than 4 years ago | (#30790746)

In the pre-LAN days of the 1980s we used to use terminal servers to connect dumb terminals to the computers. Their purpose was to dish our point-to-point connections on demand.

Once in a while, perhaps due to a power glitch, the terminal servers would drop all connections and then immediately reconnect everyone at random. Users abruptly found themselves in the middle of someone else's session.

Old technology or new, connection errors are bound to happen once in a while.

The true risk here is misplaced confidence. People simplify; errors that happen very rarely are mentally simplified to "never happens." They then become sloppy and unguarded.

In parts of India where customers suffer electric blackouts 4-5 times per day, commerce is so robust that they hardly notice. When a regional blackout happens in a Western country once every 10 years or so, many people are caught unprepared.

Fire departments hold regular drills to maintain preparedness skills. The frequency of real life emergencies is not sufficient. Perhaps the public would be best served by participating in regular Internet drills, but I'm not going to hold my breath waiting for that to happen.

CLEARLY a web proxy problem... (3, Insightful)

nweaver (113078) | more than 4 years ago | (#30790754)

On the IP layer, this wouldn't happen, because there are cookies contained in the web traffic that are used to route things on the Facebook end, simply because there are NATS and the like.

Thus the problem is whatever in-path HTTP proxy AT&T is using for their phones that crossed things over.

In-path HTTP proxies and caches can be very hard to find and may produce all sorts of interesting subtle problems when there are bugs in them.

Similar problem on my facebook app (1)

qwertyatwork (668720) | more than 4 years ago | (#30790758)

I have an iPhone with the facebook app with t-mobile. After updating to the newest version, I keep getting notifications for other people. I let facebook know but didn't get a reply. Is anyone else having this problem?

So packets can be mis-routed? (0)

nurb432 (527695) | more than 4 years ago | (#30790784)

Really now? And people are just now realizing this?

...and AT&T strikes again. (1)

Just Brew It! (636086) | more than 4 years ago | (#30790874)

This is sheer incompetence IMO. It is sad to see the organization which originally spawned Bell Labs -- arguably the most important private sector research organization the US has ever seen -- reduced to this. (Not to mention the fact that Lucent, nee Bell Labs, is now but a mere appendage to the French telecom operation Alcatel.)

Re:...and AT&T strikes again. (1)

John Hasler (414242) | more than 4 years ago | (#30791240)

First, we don't know for sure that this is not a Facebook problem (an organization not renowned for technical competence). Second, the company currently known as AT&T has no connection with the original AT&T other than the name.

> ...Lucent, nee Bell Labs...

Nee Western Electric.

Re:...and AT&T strikes again. (1)

Just Brew It! (636086) | more than 4 years ago | (#30791306)

If it was a Facebook problem I think we would've also heard about it from people who don't have AT&T as their ISP. Though I tend to agree that Facebook isn't exactly the pinnacle of security best practices either...

T-Mobile (1)

flawd1 (1402891) | more than 4 years ago | (#30790906)

I had something like this happen to me on T-Mobile a couple weeks ago. A mother and daughter were trying to call each other one night, and each call went to me. It went on for over an hour. I even tried to call their numbers back and got my voicemail.

Showing, once again (1)

russotto (537200) | more than 4 years ago | (#30790938)

....that if you really need data to be secure, end to end security is the only way to go. That way, no matter what happens in the network (short of man in the middle attacks by a trusted or very resourceful attacker), either only you get your data, or nobody does.

Of course I'm here on slashdot via a non-secure connection, but the worst that happens here is someone steals my account to post obnoxious shit. (and who would notice?)

MITM (1)

gmuslera (3436) | more than 4 years ago | (#30791024)

Unless are women, the people working at your service provider (and all the layers between you and your target site) are in fact man in the middle. That they decide to "attack" by their own choice or i.e. government order is up to them, but is up to you being aware of that and take measures to minimize risks. Unless we are talking about facebook, of course, there lack of privacy don't seem to be a big priority.

What makes this "little known"? (1)

Jessta (666101) | more than 4 years ago | (#30791082)

What makes this "little known"?
This is the whole reason we have SSL(TLS) and happens all the time, except usually nobody notices.

This is interesting because (0)

Anonymous Coward | more than 4 years ago | (#30791594)

Years ago I clicked on a dating service ad here on Slashdot. It turned out (disappointingly) to lead to Match.com. But the interesting thing was that I appeared to be logged in as a Match.com user (I had no account with Match at the time). I verified that I was indeed logged in by going to the account details page, and was able to see this guy's personal info.

Now I could've been a dick, but I wasn't -- I logged out immediately. But to this day I wonder how the heck that could've happened.

oblig. (0)

Anonymous Coward | more than 4 years ago | (#30791602)

THEN WHO WAS PHONE?

Security flaws (0, Offtopic)

Jaktar (975138) | more than 4 years ago | (#30791656)

It turns out that both of these women who use AT&T phones had both heard of Internet Explorer and Firefox. The nation of Liberia is now warning users who have ever heard of Internet Explorer or Firefox to switch to Liberia's own Liberexplorer for a limited time only. Supplies are running out fast and there is a strict limit of 2^10000th power per customer. Just five easy installments of $10.99 and you're in the clear. Act now!

The real secret and what spy agencies really see (0)

Anonymous Coward | more than 4 years ago | (#30792104)

I can't wonder if what happened here is not a glitch -- this is the access that the US Intelligence communities get all the time through ATT. The only "glitch" was that somehow, this lady temp. got into that loop. If this is the case, they see whatever, whenever all the time -- now that is what is really scary.

cell phone internet uses a nat based system the hi (1)

Joe The Dragon (967727) | more than 4 years ago | (#30792174)

cell phone internet uses a nat based system the higher priced plan have real ip's. I think that media net is nat based.

How she knew it wasn't her account (1)

Fnord666 (889225) | more than 4 years ago | (#30792642)

When describing how she knew it was not her account, Candace replied that

"He's white -- I'm not,"

Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.

Re:How she knew it wasn't her account (1)

93 Escort Wagon (326346) | more than 4 years ago | (#30792858)

Apparently the fact that the account holder was also male was not the first thing to cross her mind. I thought we had gotten farther than this.

The article says what tipped her off was a photo of the site's owner. I would think that skin color would stand out as much as gender when you first see a photo.

Plus, really, I'm a bit tired of all this pussy-footing around when it comes to race. We should be able to reach a place where we treat everyone else with respect, yet still are able to recognize our differences for what they are - not better than someone else's, nor worse; just different. A person's race is a legitimate part of their heritage and their personal story.

A quilt is rather boring if it's all just one color.

Knowing AT&T... (0)

Anonymous Coward | more than 4 years ago | (#30792684)

When are we going to get the story from the CEO somehow blaming this on the iphone and all the bandwidth they use?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>