Tuesday, February 16, 2010

Cookies, AT&T, Facebook And Your Privacy

This post is based on a question received via Twitter from @mmurfsurf. I apologize for the delay in my reply.

Last month, you may have seen a story or two about an AT&T Wireless / Facebook security problem. Some AT&T mobile Facebook users were being logged into other Facebook users accounts. The Associated Press ran an interesting story about a Georgia mother and her two daughters that logged onto Facebook from mobile phones and wound up in a startling place: strangers' accounts with full access to troves of private information. That AP article said the glitch was the result of a "routing problem" at the family's wireless carrier, AT&T -- revealing a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users. In each case, the Internet lost track of who was who, putting the women into the wrong accounts.

Both AT&T and Facebook claim this particular problem has been fixed but, it's brought to the front some major security issues with sites that require authentication. Iljitsch van Beijnu in an excellent post titled Facebook, AT&T play fast and loose with user authentication over at ars technica claims 99% of all sites implement user authentication themselves with some doing it right and others not doing it right. Here's more from Beijnu:

Putting a password in a normal text box means it's transmitted in the clear. To avoid this, it's necessary to use an encrypted HTTPS session, at least to transmit the password. Some sites do this, others simply send it in the clear where it can be intercepted relatively easily, especially—but not exclusively—on unencrypted Wi-Fi networks, such as Wi-Fi hotspots.

The second problem with home-grown user authentication is that it really only secures a single page. If the user later loads the page again, or loads another page, she would have to type the password again to really be secure. The solution to this problem is for the server to store some information in the form of a "cookie" on the user's system. Cookies for a certain site are automatically transmitted along with every HTTP request made to that site, so the server can recognize the user by the information in the cookie. So far so good. (Ignoring the fact that cookies can also easily be intercepted if sessions are unencrypted.)

Beijnu lists a couple of cookie related possibilities for the AT&T/Facebook snafu:

Possibility One

When mobile phones first gained the ability to access the Web, a lot of work was done to optimize the experience on slow, memory-starved devices with a slow connection. Much of that magic involves Web proxies. One way for this particular Facebook user authentication issue to come up on AT&T's mobile network would be if there is a caching proxy in between the server and the user that doesn't pay attention to cookies. So if user A with cookie X visits Facebook, the proxy caches the page user A gets. Then, when user B comes along with cookie Y, the proxy simply sends the cached page to user B, which is of course the page that only user A is supposed to see.

Possibility Two

Another possibility is that AT&T uses proxy cookies. WAP, a protocol that was used to create a Web-like experience for phones not capable enough to show the real Web, doesn't support cookies. This makes life hard, so proxies that let WAP clients talk to Web servers often implement "proxy cookies," where the proxy stores the cookies on behalf of the client. However, in that case it's essential that the proxy knows which user it's proxying for at any given moment, otherwise it sends the wrong cookie to the server and the user is logged in as someone else.

It's not clear exactly what was fixed and what happened - at least from the information I have access to. However, it looks like both AT&T and Facebook were at fault - AT&T for mixing up cookies and Facebook for using clear text cookies. It's important to understand it is not just an AT&T/Facebook problem.

How can user information and privacy be better protected? The solution is simple and Beijnu says it well - encrypting all sessions would solve these problems: passwords and cookies can't be intercepted and proxies can't get to the data.

1 comment:

Anonymous said...

Thanks for delving into the Gordon as all Facbook users need to be aware of this issue!