Bugtraq mailing list archives

RE: facebook 'routing flaw'?

From: "Sacks, Cailan C" <Cailan.Sacks () standardbank co za>
Date: Tue, 19 Jan 2010 09:08:13 +0200

Just my two cents, but...

Many mobile providers are implementing caching on their proxies to make
up for the overpopulated state of their networks, and depending on how
the session ID is generated and stored (being a mobile device this is a
bit more complicated than just setting cookies), it wouldn't necessarily
be a routing problem on the network layer, but could be a routing
problem within the application because of cached resources.

If, for example, facebook set the cookie in a non https session, or in
the url or via a redirect to a uniquely generated page name which in
turn set the cookie depending on the variables passed in a URL or other
cached content, and two users browsed the page content in relatively
short periods of time, the session cookie issued would be identical.
Meaning the second person to browse facebook would be logged in as the
first person who had already authenticated themselves.

Maybe someone can check if the mobile operator had recently implemented
something like this?

-----Original Message-----
From: Michael Scheidell [mailto:scheidell () secnap net] 
Sent: Saturday, January 16, 2010 2:39 PM
To: bugtraq () securityfocus com
Subject: facebook 'routing flaw'?

AP Report says it was a 'routing problem'? any idea what they are 
talking about, do THEY know what they are talking about?
Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP 
ADDRESS AND COOKIES and disable the session when the ip changed?

<http://www.foxnews.com/scitech/2010/01/16/network-flaw-causes-scary-web
-error/>

SAN FRANCISCO - A Georgia mother and her two daughters logged onto 
Facebook from mobile phones last weekend and wound up in a startling 
place: strangers' accounts with full access to troves of private 
information.

The glitch - the result of a routing problem at the family's wireless 
carrier, AT&T - revealed a little known security flaw with far reaching 
implications for everyone on the Internet, not just Facebook users.

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259

*| *SECNAP Network Security Corporation


    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
Standard Bank email disclaimer and confidentiality note
Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and 
confidentiality note. Kindly email disclaimer () standardbank co za (no content or subject line necessary) if you 
cannot view that page and we will email our email disclaimer and confidentiality note to you.

Current thread:

facebook 'routing flaw'? Michael Scheidell (Jan 18)
- Re: facebook 'routing flaw'? Manny Ponce (Jan 19)
- RE: facebook 'routing flaw'? Sacks, Cailan C (Jan 19)
- Re: facebook 'routing flaw'? Suramya Tomar (Jan 19)
- Re: facebook 'routing flaw'? Matthew Leeds (Jan 19)