As you may be aware, several individuals using AT&T-based cellular phones recently reported being logged into the wrong Facebook account when accessing the Facebook site from their phones. Current reports indicate that the root cause is AT&T’s network, which misdirected Facebook cookies. These cookies, set to reflect that an individual has logged in, are to be stored on each user’s device. Is this issue a cause for concern? Is the issue likely limited to Facebook? Does Facebook bear any responsibility?
In terms of concern, I’d say there is cause for major concern. We implicitly trust that the single request/response interaction between the browser and the server must be represented by a single network connection. Unless an attacker inserts him or her self into the virtual connection circuit, the server’s response to the browser (containing the cookie) must be the same connection that sent the original credentials.
In this case that trust appears to be misplaced. It is easy to understand how this is possible. The carriers are free to manage connections however they choose. In reality the carrier is likely proxying between the cellular network and the Internet, like any NAT-based approach. A little coding error, such as an improperly shared resource, and results destined for one phone are returned to another.
Classically this seems like a race condition. Certainly in the latest incident that explanation seems consistent with the facts since the two people who ended up on each other’s Facebook accounts were on-line at the same time. Nothing particularly interesting about multi-threaded code containing a race condition. It has happened before and will happen again.
This leads me to my second question, is this likely limited to Facebook users on the AT&T network? That seems doubtful. It is hard to imagine that the carrier’s infrastructure that proxies requests includes specialized instructions just for Facebook. it seems very likely that any connection-related flaw can occur for any web interaction.