Misdirected AT&T Cookie Exposes People’s Facebook Accounts to Strangers

When a Georgia mom and her daughters logged into their Facebook accounts from mobile phones last week they were shocked to find that they had access to other people’s Facebook accounts with total access to their personal data.

The mistake was the result of a network routing glitch from the family’s wireless carrier AT&T that exposed a little known security flaw dangerous security implications for anyone with an online account.

Basically, the network lost track of who was who and gave people access to other people’s accounts.

Internet security professionals said they have never heard of a security hole like this, where the wrong people are shown a Web page whose username and password were entered by someone else.

It is not known if situations like this are not common or just go unreported. However, security flaws like this could potentially occur on any site that required a user login, including email accounts, social networks, company intranets etc.

Nathan Hamiel, founder of the Hexagon Security Group, said: “The fact that it did happen is proof that it could potentially happen again and with something a lot more important than Facebook.”

After going to Facebook.com on her Nokia smart phone, Candace Sawyer was logged into the site without being prompted for a user name or password. She noticed that she was logged into a Facebook account that wasn’t hers.

Sawyer logged off and asked her sister Mari and their mother Fran to login to see if they had the same problem on their mobile phones.

Mari was given access to another woman’s Facebook account and Fran found that she had access to another stranger’s Facebook account. Both women sent emails to their real Facebook accounts to prove the security glitch had occurred.

After contacting both Facebook and AT&T, the women discovered that the problem wasn’t the phones or Facebook, but rather with the network that connects the phones to the internet.

The problem involves a “misdirected cookie” ( a file that Web sites place on computers to identify users ) that was routed to and placed on the wrong computer.

The incident highlights a terrible problem for everyone who uses the internet.

Web sites that use encryption would likely be safe from this type of network security flaw since web browsers would have problems decoding the encryption on a secure page.

Sensitive sites like financial, banking and e-commerce sites are typically secured with encryption.

A similar situation on Facebook happened last November to Stephen Simburg who found himself with access to a woman’s Facebook account. After contacting the woman about the problem they discovered that they both used the AT&T network to access Facebook from their mobile phones.

Whether this is simply a problem on the AT&T network or part of a larger wireless service problem remains to be seen, but Verizon could have a field day with AT&T’s “misdirected cookies”.

[ Source: Associated Press ]