[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: facebook 'routing flaw'?

Just my two cents, but...

Many mobile providers are implementing caching on their proxies to make
up for the overpopulated state of their networks, and depending on how
the session ID is generated and stored (being a mobile device this is a
bit more complicated than just setting cookies), it wouldn't necessarily
be a routing problem on the network layer, but could be a routing
problem within the application because of cached resources.

If, for example, facebook set the cookie in a non https session, or in
the url or via a redirect to a uniquely generated page name which in
turn set the cookie depending on the variables passed in a URL or other
cached content, and two users browsed the page content in relatively
short periods of time, the session cookie issued would be identical.
Meaning the second person to browse facebook would be logged in as the
first person who had already authenticated themselves.

Maybe someone can check if the mobile operator had recently implemented
something like this?

-----Original Message-----
From: Michael Scheidell [mailto:scheidell@xxxxxxxxxx] 
Sent: Saturday, January 16, 2010 2:39 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: facebook 'routing flaw'?

AP Report says it was a 'routing problem'? any idea what they are 
talking about, do THEY know what they are talking about?
Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP 
ADDRESS AND COOKIES and disable the session when the ip changed?


SAN FRANCISCO - A Georgia mother and her two daughters logged onto 
Facebook from mobile phones last weekend and wound up in a startling 
place: strangers' accounts with full access to troves of private 

The glitch - the result of a routing problem at the family's wireless 
carrier, AT&T - revealed a little known security flaw with far reaching 
implications for everyone on the Internet, not just Facebook users.

Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008

This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
Standard Bank email disclaimer and confidentiality note
Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and confidentiality note. Kindly email disclaimer@xxxxxxxxxxxxxxxxxx (no content or subject line necessary) if you cannot view that page and we will email our email disclaimer and confidentiality note to you.