AT and T router flaw causes access to sensitive information
January 19, 2010
A woman from Georgia logged into Facebook from a mobile phone on Saturday and wound up in a very curious place: unknown accounts with full access to hundreds of megabytes of sensitive information that she should not have had access to. The issue was the result of a routing flaw at the family's wireless carrier, AT&T.
Although this is a serious breach of information, and the woman probably had no intention of stealing any private information, the incident does reveal a little known security flaw with far reaching implications for everyone on the Web, and not just Facebook users.
Since the incident was reported, several security experts say they have not seen any case like this before, in which the wrong person was shown a Web page whose user name and password had been entered by someone else. It's not clear whether such episodes are rare or simply not reported, but security experts say such holes could occur on e-mail services and that something similar could happen on a PC or corporate work station, and not just on a mobile phone.
Since being discovered, this news story has been rapidly propagating throughout the Web and is the major topic in some security forums.
In every similar case, the Internet lost track of who was who, putting the women into the wrong accounts. And it doesn't appear that the users could have done anything to prevent it either, and this is what's so troubling about the incident.
The problem adds a completely new dimension to security researchers' warnings that there are many ways to get online information, whether it be public or private in nature.
Nathan Hamiel, founder of the Hexagon Internet Security Group says "the fact that it did happen in the first place is proof that it could certainly happen again and with something a lot more important than some personal information on a Facebook accout."
After typing Facebook.com into her Nokia smartphone, the woman was then taken into the site without being asked for her user name or password. She was in an account that didn't look like hers. She had fewer friend requests than she remembered. Then she found a picture of the page's owner.
Candace Sawyer, 26, says she immediately suspected something was wrong when she tried to visit her Facebook page Saturday morning. "He's white — I'm not," she said with a laugh. Sawyer logged off and asked her sister and her mother to see whether they had the same problem on their phones.
Surprisingly, they were both able to view other people's information as well. Candace mother's phone — which had never been used to access Facebook before — took her inside yet another stranger's page, one belonging to a young woman from Indiana. And they even sent an e-mail to one of their own accounts to prove it.
Needless to say, they were both shocked at the discovery. "I thought it was the phone — 'Maybe this phone is just weird and does magical, horrible things and I have to get rid of it,'" said Candace Sawyer. The women had recently upgraded to the same model of phone and all used the same wireless carrier, AT&T.
But security experts say the problem isn't in the phones themselves, but rather it's a serious bug in the Internet infrastructure connecting the phones to the Web. This underscores a very serious issue of gigantic proportions to every Internet user.
Sometimes, Web sites and users' computers are compromised from within. An attacker can get a Web page or computers to run programming code that they shouldn't. But in this case, it was a security hole between the smartphone and the Web site that directly exposed users' Facebook pages to the Sawyers.
Misconfigured routing equipment, poorly written network software or other technical errors could have caused AT&T to fumble the information flowing from the Sawyers' phones to Facebook and back and forth.
AT&T spokesman Michael Coe said its wireless customers have landed in the wrong Facebook pages in "a limited number of instances" and that a network problem behind those episodes is currently being repaired.
Nevertheless, the Sawyers experienced a different issue. Coe said an investigation points to a "misdirected cookie." A cookie is a file some Web sites place on computers to store identifying information — including the user's name that Facebook members would enter to access their personal pages.
Coe said that AT&T's technicians couldn't figure out how the cookie had been routed to the wrong phone, leading it into the wrong Facebook account.
Fortunately, the vulnerability would be of limited use to a hacker interested in causing trouble, simply because this hole would let him access only one account at a time. To do more damage the criminal would have to pull off the unlikely feat of gaining full control of the piece of equipment that routes Internet traffic to individual users-- a feat that is possible in theory, but that some security experts think it is highly unlikely.
Coe added that AT&T could confirm only that the problem occurred on one of the Sawyers' phones, possibly because they had logged off Facebook on the other two before reporting the incident. Facebook declined to comment and referred questions to AT&T.
Alternatively, some Web sites would be immune from this kind of mix-up, particularly those that use encryption. A Web browser would have trouble deciphering the encryption on a page that a computer user didn't actually seek, said Chris Wysopal, co-founder of Veracode, a security company.
In light of all this, maybe encryption technology should be used at all times with sites similar to Facebook, LinkedIn and others.
Sensitive sites and those used for banking and e-commerce all use encryption. But most other sites, including some Web-based e-mail services, don't use it. For now, it's still unclear how many people were affected by the problem the Sawyers discovered, and whether it was limited to Facebook.
The reason all 3 women experienced the security glitch is a function of the way mobile phone and wireless networks are designed. In some cases, all the mobile Internet traffic for a particular area is routed through the same piece of networking equipment. If that piece of equipment is misbehaving or set up incorrectly, some real strange things can happen when computers down the line receive the data.
Usually that means a Web site simply won't load, said Alberto Solino, director of security consulting services for Core Security Technologies. In the Sawyers' case, "somehow they got the wrong user but they could keep using that account for a long period of time.
But this isn't the first instance of something like this happening. There was a similar case in November 2009. Stephen Simburg, 25, who works in marketing, was home for Thanksgiving in Vancouver, Wash., when he logged onto Facebook from his mobile phone.
Simburg didn't recognize the people who had written him previous messages. "I thought I had gotten really popular all of a sudden, or something was wrong," he said. Then he saw the picture of the account owner: A young woman!
He got her e-mail address from the site, logged off and wrote the woman a message. He asked whether he had met her at some point and if she had borrowed his phone to check her Facebook account.
This incident now has more than one Internet security expert scrambling. Additionally, AT&T, Verizon Wireless, Sprint, MetroPCS and other wireless service providers are now working diligently to make sure such incidents don't happen again.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing