The Register® — Biting the hand that feeds IT

Feeds

AT&T snuffs mobile Facebook security glitch

Um, that's not my profile

By Austin Modine, 19th January 2010
  • print
  • alert

AT&T says it has resolved a network glitch that caused some mobile customers to log into Facebook accounts belonging to complete strangers.

"In a limited number of instances, a server software connectivity error resulted in some AT&T wireless customers being logged into the wrong Facebook account when they accessed Facebook through their mobile phones," an AT&T spokesman told El Reg via email. "This error impacted the subscriber identification information used to automatically log-on the Facebook user if a current cookie was not available.

Over the weekend, a story from The Associated Press reported that an Atlanta, Georgia-area mother and her two daughters all found themselves looking at strangers' Facebook profiles when they accessed the social website from their mobiles. One of the daughters landed in another person's profile on her first visit to Facebook on her phone.

The mobile operator confirmed that server issues were to blame for the security breaches "in a limited number of instances," but it didn't say how widespread the glitch was.

And here's where it get a bit weird: AT&T told the AP that one of the family members had actually experienced a separate error that similarly granted her full access to another person's Facebook account. AT&T said that its investigation pointed to a "misdirected cookie" in one of the phones — and that its technicians were unable to determine how it was routed to the phone.

The mobile operator told us that it has added new security measures to prevent the server error from happening again, adding that it collaborated with Facebook to disable subscriber identification information as an option for automatic log-in.

"For customers to access their Facebook account from AT&T wireless devices, Facebook now only will accept cookies placed by Facebook or full customer log-on information," AT&T said. "If the cookie isn't current, customers will be prompted to log in to their account. With these steps, we've addressed all known server issues and we continue to work with Facebook to monitor the situation."

AT&T went on to claim the wayward cookie issue was merely an "isolated" case that it has resolved with the customer. "It is unclear how this cookie was set on the phone." it said. ®

COMMENTS

House Rules Send Corrections
All Reader Comments (4)
Latest Comments
Anonymous Coward
Reply Icon

"Value added" == "vulnerability added", once again.

Well, it's not so much DPI as it is plain ol'-fashioned proxying. Reading between the lines:

>"collaborated with Facebook to disable subscriber identification information as an option for automatic log-in.

>"For customers to access their Facebook account from AT&T wireless devices, Facebook now only will accept cookies placed by Facebook or full customer log-on information," AT&T said. "If the cookie isn't current, customers will be prompted to log in to their account"

... strongly implies that AT+T have some kind of partnering arrangement with FB, and they maintain some kind of trusted third-party FB authentication servers in their network, to provide a bit of "value-added" service to their customers by NATing, proxying and caching their login so that it can auto-login for them to save them having to type their email address and password so often. The sort of mix-up we've seen here could trivially easily occur in such a server if there was a bit of a race condition, or a non-atomic database, or for any of a multitude of other reasons related to the complexities of multi-threaded coding.

And the "fix" appears to have been for FB to decide to stop trusting AT+T's crappy servers. Good decision. They shouldn't have this kind of arrangement at all with anyone.

0
0
Bill Neal

Limited???

I have seen it happen on a few phones just last month. Most people don't have a reason to complain to AT&T since it isn't their profile being defaced.

0
0
pctechxp

In the words of Jobs

No big deal

Seriously though, this isn't really newsworthy as facebook is a site for losers anyway.

0
0
Alexander Hanff 1

Pull the other one it has crackers on it

Cookie misdirection my arse. Anyone who has even the slightest idea of how cookies and networks work can see this to be a complete pile of crock.

The ONLY way that cookie could have been redirected is from AT&T messing around with data flow - this stinks of DPI - absolutely festering with it.

I will be very interested to see what the techsperts say about this once they have had more time to investigate the situation - but it is pretty obvious from where I am sitting that AT&T are talking our of their misdirected arses.

0
0

More from The Register

MYSTERY Nokia Lumia with gazillion-pixel camera 'spotted'
With 20Mp sensor - NOW will you try Windows Phone 8?
101
Microsoft reveals Xbox One, the console that can read your heartbeat
Upgrades Live service – and no always-on requirement
247
breaking news
Rogue Nokia splinter cell drops its Jolla phone A-BOMB
Ota tuo, vihreä robotti Google!
72
The iWatch is coming! The iWatch is coming!
Reports: Apple's wrister to have 1.5-inch OLED, test units being built
68
US boffin builds 32-way Raspberry Pi cluster
Beowulf cluster built for the price of a single PC
110
Dell's PC-on-a-stick landing in July: report
Wyse up, suckers, could this be a new set-side-stick?
44
Review: HP Pavilion 14 Chromebook
All roads lead to Chrome?
44
Borked your iDevice? Pay EVEN MORE to have it fixed by Applecare
Or scream at their hapless techies on their forums
29
Review: Sony Xperia SP
The new mid-range marvel? Oh yes.
52
Euro PC shipments plummet into bottomless pit of DOOOOM
11th quarter of decline, 20pc drop on last year - Gartner
41