An Associate Press (AP) exclusive tells the story of a glitch that allowed AT&T wireless users to log into the Facebook accounts of other users. This glitch was “the result of a routing problem at the family’s wireless carrier, AT&T”.
It seems like the users didn’t use a Facebook application, but, instead, logged into Facebook via their phone’s Internet browser. From there the Internet lost track of who was who. Instead of putting the users into the correct Facebook account, they were put into the Facebook accounts of other users. What’s alarming is it doesn’t seem like the users could have done anything to prevent the error.
According to the AP article, this glitch isn’t just a problem for AT&T customers and Facebook, but it’s “a little known security flaw with far reaching implications for everyone on the Internet”.
For a complete description of what happened it’s worth quoting the AP article at length:
Candace Sawyer, 26, says she immediately suspected something was wrong when she tried to visit her Facebook page Saturday morning.
After typing Facebook.com into her Nokia smart phone, she was taken into the site without being asked for her user name or password. She was in an account that didn’t look like hers. She had fewer friend requests than she remembered. Then she found a picture of the page’s owner.
“He’s white _ I’m not,” she said with a laugh.
Sawyer logged off and asked her sister, Mari, 31, her partner in a dessert catering company, and their mother, Fran, 57, to see whether they had the same problem on their phones.
Mari landed inside another woman’s page.
Fran’s phone _ which had never been used to access Facebook before _ took her inside yet another stranger’s page, one belonging to a young woman from Indiana. They sent an e-mail to one of their own accounts to prove it.
They were dumbfounded.
“I thought it was the phone _ `Maybe this phone is just weird and does magical, horrible things and I have to get rid of it,'” said Candace Sawyer.
The women, who live together in East Point, Ga., outside Atlanta, had recently upgraded to the same model of phone and all used the same carrier, AT&T.
Sawyer contacted The Associated Press after reporting the problem to Facebook and AT&T.
The problem wasn’t in the phones. It was a flaw in the infrastructure connecting the phones to the Internet.
That illuminates a grave problem.
All three women experienced this glitch because it’s a function of the way cellular networks are designed. In certain cases, all the mobile Internet traffic for an area is routed through the same piece of networking equipment. What that means is if that piece of equipment is having a bad day, misbehaving or is incorrectly set up, then strange things like what happened to Sawyer, her sister and their mother can happen when computers receive the data they’ve typed into the phone.
Many of the security experts that AP contacted had not heard of a case like this before. However, the article qualifies this by saying it simply might be a case that people don’t report it instead of it being incredibly rare. The experts did say that flaws like this can occur with email services on a PC too.
The experts also said that sites that use encryption would be immune from this sort of mix up. However, the sites that use encryption consistently are sensitive sites, banking and e-commerce. Sites like Facebook and others use encryption to protect the sign-in process from hackers. However, after users are signed in the encryption is dropped.
Although Sawyer and her family contacted and spoke to AP, the two people whose Facebook pages were exposed to the Sawyers didn’t return the AP’s phone calls or emails. Therefore, it’s not 100% clear if they’re also AT&T customers. However, security experts say that is likely the case. When contacted, Facebook deflected the question back to AT&T and declined to comment on this case.
In fact, this has happened before with two AT&T mobile users linking into another person’s Facebook account. This story is also worth quoting at length:
Stephen Simburg, 25, who works in marketing, was home for Thanksgiving in Vancouver, Wash., when he logged onto Facebook from his cell phone. He didn’t recognize the people who had written him messages.
“I thought I had gotten really popular all of a sudden, or something was wrong,” he said. Then he saw the picture of the account owner: A young woman.
He got her e-mail address from the site, logged off and wrote the woman a message. He asked whether he had met her at some point and she had borrowed his phone to check her Facebook account.
“No,” she wrote back, “but I was just telling my family that I ended up in your profile!”
Simburg and the woman figured out they were both using AT&T to access Facebook on their phones. (AT&T had no comment because the incident wasn’t reported to the company.)
“I felt like I had been let down by the phone company and by Facebook,” he said.
I can see exactly why he feels let down by both AT&T and Facebook.
They know about this glitch and they need to fix it. Also, because this glitch isn’t necessarily exclusive to AT&T and Facebook, I hope that other mobile carriers and website are aware of this story too. The article also made it clear that there is no way to tell how many people were affected by this problem or if the problem was limited only to Facebook’s site.
To all the net experts out there, please weigh in. What do you think?