“Scary Web Error!”

Apparently on a few AT&T phones, a few Facebook users were dropped into accounts of other users.

After typing Facebook.com into her Nokia smart phone, she was taken into the site without being asked for her user name or password. She was in an account that didn’t look like hers.

… AT&T spokesman Michael Coe said its wireless customers have landed in the wrong Facebook pages in “a limited number of instances” and that a network problem behind those episodes is being fixed … Coe said an investigation points to a “misdirected cookie.” …  Coe said technicians couldn’t figure out how the cookie had been routed to the wrong phone…

Well that’s a new one. Sites could store the UA string in the server-side session on login and make sure it doesn’t change. This would prevent the auto-logged-in-as-other-user problem (except for users with identical phones), but, despite this being a sensible security option, I don’t think many sites do it. If these problems start becoming more common that may need to change.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.