Re: facebook 'routing flaw'?

[Suramya Tomar <security () suramya com>]

Hey,

> AP Report says it was a 'routing problem'? any idea what they are
> talking about, do THEY know what they are talking about?
> Did AT&T mix up the destination ip addresses? did facebook NOT CHECK IP
> ADDRESS AND COOKIES and disable the session when the ip changed?

As far as I can tell no technical details have been released to explain 
this issue either by Facebook or AT&T. So I am going to speculate on 
various ways this might have happened:

1. A flaw in Facebook caused the system to falsely authenticate users 
based on their IP address even without an authentication cookie present.

This could happen, however if this was the case a lot more people would 
have hit it by now especially on networks that have their IP address 
allocated dynamically.

So Probability of this being the reason: Very Low

2. AT&T is using a proxy caching server and the authentication cookies 
used by Facebook was stored on the proxy server.

If a proxy server was being used by AT&T then when a request went out to 
Facebook it would check for a valid session using the server’s IP 
address and then check for an authentication cookie on that server. If 
one existed the user would then be authenticated even though this time 
someone else was trying to access their Facebook account.

The problem in this case would be the incorrect configuration of their 
Proxy server by AT&T.

So Probability of this being the reason: Very High

3. Can’t think of any other reason… Though there could be a ton of other 
explanations. Just can’t think of any of them right now.

Just my 2c.

- Suramya

--
-------------------------------------------------
Name : Suramya Tomar
Homepage URL: http://www.suramya.com
-------------------------------------------------

************************************************************
Disclaimer:
Any errors in spelling, tact, or fact are transmission errors.
************************************************************