AP Exclusive: Network flaw causes scary Web error

Intense

Senior Member
Aug 2, 2009
44,907
6,787
48
Just giving a Heads Up for Anyone interested.



A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information.
The glitch—the result of a routing problem at the family's wireless carrier, AT&T—revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.

In each case, the Internet lost track of who was who, putting the women into the wrong accounts. It doesn't appear the users could have done anything to stop it. The problem adds a dimension to researchers' warnings that there are many ways online information—from mundane data to dark secrets—can go awry.

Several security experts said they had not heard of a case like this, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It's not clear whether such episodes are rare or simply not reported. But experts said such flaws could occur on e-mail services, for instance, and that something similar could happen on a PC, not just a phone.

"The fact that it did happen is proof that it could potentially happen again and with something a lot more important than Facebook," said Nathan Hamiel, founder of the Hexagon Security Group, a research organization.

Candace Sawyer, 26, says she immediately suspected something was wrong when she tried to visit her Facebook page Saturday morning.

After typing Facebook.com into her Nokia smart phone, she was taken into the site without being asked for her user name or password. She was in an account that didn't look like hers. She had fewer friend requests than she remembered. Then she found a picture of the page's owner.

"He's white—I'm not," she said with a laugh.

Sawyer logged off and asked her sister, Mari, 31, her partner in a dessert catering company, and their mother, Fran, 57, to see whether they had the same problem on their phones.

Mari landed inside another woman's page.

Fran's phone—which had never been used to access Facebook before—took her inside yet another stranger's page, one belonging to a young woman from Indiana. They sent an e-mail to one of their own accounts to prove it.

They were dumbfounded.

"I thought it was the phone—`Maybe this phone is just weird and does magical, horrible things and I have to get rid of it,'" said Candace Sawyer.

The women, who live together in East Point, Ga., outside Atlanta, had recently upgraded to the same model of phone and all used the same carrier, AT&T.

Sawyer contacted The Associated Press after reporting the problem to Facebook and AT&T.

The problem wasn't in the phones. It was a flaw in the infrastructure connecting the phones to the Internet.

That illuminates a grave problem.

Generally Web sites and computers are compromised from within. A hacker can get a Web page or computers to run programming code that they shouldn't. But in this case, it was a security gap between the phone and the Web site that exposed strangers' Facebook pages to the Sawyers. Misconfigured equipment, poorly written network software or other technical errors could have caused AT&T to fumble the information flowing from the Sawyers' phones to Facebook and back.

AP Exclusive: Network flaw causes scary Web error
 
Sounds very peculiar to me.

Html is stateless, which means that session variables are passed to and from the browser and the server. This is saying that somehow session variables, housed on the browser side, got confused and messed up with the information on the server side.

Sounds like someone at AP is either clueless or got something very badly backwards
 
Sounds like a flaw stemming from the Cell Phone Software that makes us all vulnerable.
 

Forum List

Back
Top