lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 Jan 2010 09:45:19 -0800
From: "Matthew Leeds" <mleeds@...leeds.net>
To: "Michael Scheidell" <scheidell@...nap.net>,
	bugtraq@...urityfocus.com
Subject: Re: facebook 'routing flaw'?

There is a fairly in depth discussion of the issue here:

http://arstechnica.com/web/news/2010/01/facebook-att-play-fast-and-loose-with-user-authentication.ars

Not a routing issue, more of a proxy issue, and not uncommon in mobile carrier networks. Getting security right in a mobile application is tricky given how carriers manage Internet access. With the growth of smartphones these kinds of issues will become more prevalent until carriers refactor how they manage traffic via their proxy's. I'll also note that while the referenced article suggests the use of SSL, there are issues with support in the mobile environment for SSL in terms of which certificate authorities are pre-installed on phones, whether applications have access to the certificate store on the mobile device (or need an embedded certificate), how certificate chaining and wildcarding is supported, and so on.

*********** REPLY SEPARATOR  ***********

On 1/16/2010 at 7:39 AM Michael Scheidell wrote:

>AP Report says it was a 'routing problem'? any idea what they are 
>talking about, do THEY know what they are talking about?
>Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP 
>ADDRESS AND COOKIES and disable the session when the ip changed?
>
><http://www.foxnews.com/scitech/2010/01/16/network-flaw-causes-scary-web-error/>
>
>SAN FRANCISCO � A Georgia mother and her two daughters logged onto 
>Facebook from mobile phones last weekend and wound up in a startling 
>place: strangers' accounts with full access to troves of private 
>information.
>
>The glitch � the result of a routing problem at the family's wireless 
>carrier, AT&T � revealed a little known security flaw with far reaching 
>implications for everyone on the Internet, not just Facebook users.
>
>-- 
>Michael Scheidell, CTO
>Phone: 561-999-5000, x 1259
> > *| *SECNAP Network Security Corporation
>
>    * Certified SNORT Integrator
>    * 2008-9 Hot Company Award Winner, World Executive Alliance
>    * Five-Star Partner Program 2009, VARBusiness
>    * Best Anti-Spam Product 2008, Network Products Guide
>    * King of Spam Filters, SC Magazine 2008
>
>
>______________________________________________________________________
>This email has been scanned and certified safe by SpammerTrap(r). 
>For Information please see http://www.secnap.com/products/spammertrap/
>______________________________________________________________________



Powered by blists - more mailing lists