lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Tue, 19 Jan 2010 09:08:13 +0200
From: "Sacks, Cailan C" <Cailan.Sacks@...ndardbank.co.za>
To: "Michael Scheidell" <scheidell@...nap.net>,
	<bugtraq@...urityfocus.com>
Subject: RE: facebook 'routing flaw'?

Just my two cents, but...

Many mobile providers are implementing caching on their proxies to make
up for the overpopulated state of their networks, and depending on how
the session ID is generated and stored (being a mobile device this is a
bit more complicated than just setting cookies), it wouldn't necessarily
be a routing problem on the network layer, but could be a routing
problem within the application because of cached resources.

If, for example, facebook set the cookie in a non https session, or in
the url or via a redirect to a uniquely generated page name which in
turn set the cookie depending on the variables passed in a URL or other
cached content, and two users browsed the page content in relatively
short periods of time, the session cookie issued would be identical.
Meaning the second person to browse facebook would be logged in as the
first person who had already authenticated themselves.

Maybe someone can check if the mobile operator had recently implemented
something like this?

-----Original Message-----
From: Michael Scheidell [mailto:scheidell@...nap.net] 
Sent: Saturday, January 16, 2010 2:39 PM
To: bugtraq@...urityfocus.com
Subject: facebook 'routing flaw'?

AP Report says it was a 'routing problem'? any idea what they are 
talking about, do THEY know what they are talking about?
Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP 
ADDRESS AND COOKIES and disable the session when the ip changed?

<http://www.foxnews.com/scitech/2010/01/16/network-flaw-causes-scary-web
-error/>

SAN FRANCISCO - A Georgia mother and her two daughters logged onto 
Facebook from mobile phones last weekend and wound up in a startling 
place: strangers' accounts with full access to troves of private 
information.

The glitch - the result of a routing problem at the family's wireless 
carrier, AT&T - revealed a little known security flaw with far reaching 
implications for everyone on the Internet, not just Facebook users.

-- 
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
 > *| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best Anti-Spam Product 2008, Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
Standard Bank email disclaimer and confidentiality note
Please go to http://www.standardbank.co.za/site/homepage/emaildisclaimer.html to read our email disclaimer and confidentiality note. Kindly email disclaimer@...ndardbank.co.za (no content or subject line necessary) if you cannot view that page and we will email our email disclaimer and confidentiality note to you.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ