On Saturday, an exclusive AP report told a story of an AT&T network glitch which allowed some mobile users the ability to login to other people’s Facebook accounts. Although according to the story only a handful of people were affected by this glitch, the security flaw could have “far reaching implications for everyone on the Internet,” wrote the reporter.
After reviewing the details of the incident, the “glitch” appears to be more of an issue with some misconfigured software at AT&T and less of an internet-wide security concern, as previously feared. That being said, the wireless company regarded the incident seriously and has taken measures to prevent similar issues from reoccurring in the future.
Users Logged into Wrong Facebook Accounts
In the AP story, a mother and her two daughters, all of whom are AT&T subscribers, logged into the social networking site Facebook using their mobile phones and found themselves with full access to strangers’ Facebook accounts. This was apparently caused by a routing error on AT&T’s part notes the article. In this modern-day equivalent of “crossed wires,” it seemed the wireless company had lost track of which users were which and had sent back the incorrect web pages to the users’ phones. It turns out that the women were not alone in experiencing these issues – other AT&T customers were affected as well. However, AT&T won’t say how many, only that the problem occurred in “a limited number of instances.”
Over on the technology news website Slashdot, many speculated about the cause of incident, questioning whether it was a corrupted caching proxy at AT&T or a bug in the HTTP headers set by Facebook that instruct how a response should be cached, among other things. In other words, some weren’t taking it at face value that the problem was entirely AT&T’s fault, despite the fact that an AT&T spokesman claimed that the “network problem behind those episodes” was being fixed.
Server Software Error to Blame
A recent statement from AT&T now reveals a few more details about the problem and what they’re doing to address it. According to Michael Coe, the same AT&T spokesman cited in the AP article, the issue was caused by a “server software connectivity error” which impacted some wireless customers logging into Facebook using AT&T subscriber information. Facebook users who signed up for the service using their mobile phones are able to login to the site using the phone number and password created during the sign up process, Facebook states in a Q&A on their Help Site.
Although Facebook would not comment on the original story, AT&T reports that they did work with the social network in determining the cause of the problem. As it turns out, those affected were logging into Facebook using their AT&T phone numbers as opposed to a username/password combination. Typically, when a username and password is used, a cookie is stored on the mobile device. This small file retains a user’s login credentials, allowing them to access Facebook without having to re-enter their sign in information. When a cookie is not available, the subscriber information is sent to Facebook.com automatically. This is what had taken place in the reported incidents.
No More Logins Using Your Phone Number, Says AT&T
AT&T reports that they’ve now put additional “security measures” in place to prevent a reoccurrence of this issue but won’t elaborate on what precisely those measures involve. In addition, the wireless company states they are working with Facebook to disable the use of subscriber information as a method for automatic login. That means going forward, AT&T users will no longer be able to use their phone numbers as login credentials to access Facebook from their mobile devices. Only a username and password combination will be allowed.
Coe also notes that a similar incident occurred on a customer’s phone in Atlanta, referring to the incident involving the three women. In that case, a misdirected cookie was set on the phone. This is a slightly different issue from what’s described above as it does indeed hint at a routing problem where users are sent the wrong cookie. Although the problem is now resolved, AT&T has still not been able to determine what caused this particular issue. However, the possible routing issue behind this one incident (AT&T could only isolate the problem to one of the three women’s phones) does not appear to be the cause of the other problems. While still somewhat disturbing, especially since the cause is unknown, this singular occurrence does not merit worrying about any “far-reaching,” internet-wide consequences as implied by the original article.