[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B55F746.8050206@suramya.com>
Date: Tue, 19 Jan 2010 23:47:42 +0530
From: Suramya Tomar <security@...amya.com>
To: bugtraq@...urityfocus.com
Subject: Re: facebook 'routing flaw'?
Hey,
> AP Report says it was a 'routing problem'? any idea what they are
> talking about, do THEY know what they are talking about?
> Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP
> ADDRESS AND COOKIES and disable the session when the ip changed?
As far as I can tell no technical details have been released to explain
this issue either by Facebook or AT&T. So I am going to speculate on
various ways this might have happened:
1. A flaw in Facebook caused the system to falsely authenticate users
based on their IP address even without an authentication cookie present.
This could happen, however if this was the case a lot more people would
have hit it by now especially on networks that have their IP address
allocated dynamically.
So Probability of this being the reason: Very Low
2. AT&T is using a proxy caching server and the authentication cookies
used by Facebook was stored on the proxy server.
If a proxy server was being used by AT&T then when a request went out to
Facebook it would check for a valid session using the server’s IP
address and then check for an authentication cookie on that server. If
one existed the user would then be authenticated even though this time
someone else was trying to access their Facebook account.
The problem in this case would be the incorrect configuration of their
Proxy server by AT&T.
So Probability of this being the reason: Very High
3. Can’t think of any other reason… Though there could be a ton of other
explanations. Just can’t think of any of them right now.
Just my 2c.
- Suramya
--
-------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------
************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************
Powered by blists - more mailing lists