lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Jan 2010 23:47:42 +0530 From: Suramya Tomar <security@...amya.com> To: bugtraq@...urityfocus.com Subject: Re: facebook 'routing flaw'? Hey, > AP Report says it was a 'routing problem'? any idea what they are > talking about, do THEY know what they are talking about? > Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP > ADDRESS AND COOKIES and disable the session when the ip changed? As far as I can tell no technical details have been released to explain this issue either by Facebook or AT&T. So I am going to speculate on various ways this might have happened: 1. A flaw in Facebook caused the system to falsely authenticate users based on their IP address even without an authentication cookie present. This could happen, however if this was the case a lot more people would have hit it by now especially on networks that have their IP address allocated dynamically. So Probability of this being the reason: Very Low 2. AT&T is using a proxy caching server and the authentication cookies used by Facebook was stored on the proxy server. If a proxy server was being used by AT&T then when a request went out to Facebook it would check for a valid session using the server’s IP address and then check for an authentication cookie on that server. If one existed the user would then be authenticated even though this time someone else was trying to access their Facebook account. The problem in this case would be the incorrect configuration of their Proxy server by AT&T. So Probability of this being the reason: Very High 3. Can’t think of any other reason… Though there could be a ton of other explanations. Just can’t think of any of them right now. Just my 2c. - Suramya -- ------------------------------------------------- Name : Suramya Tomar Homepage URL: http://www.suramya.com ------------------------------------------------- ************************************************************ Disclaimer: Any errors in spelling, tact, or fact are transmission errors. ************************************************************
Powered by blists - more mailing lists