AT&T Glitch Connects Users to Wrong Accounts

CAE guy writes: "The Boston Globe reports: 'A Georgia mother and her two daughters logged onto Facebook from mobile phones last weekend and wound up in a startling place: strangers' accounts with full access to troves of private information. The glitch — the result of a routing problem at the family's wireless carrier, AT&T — revealed a little known security flaw with far reaching implications for everyone on the Internet, not just Facebook users.' Who needs to worry about man-in-the-middle attacks when your service provider will hijack your session for you?"

Luckily...

[bschorr]

This appears to only affect sites that don't use encryption. Otherwise this would be really scary for companies who are increasingly locating their sensitive and mission-critical data "in the cloud". Who knows what sort of confidential documents, messages or financial info might be inadvertently exposed through this otherwise.

Google Docs, I note...DOESN'T always use encryption. Seems to me that puts them on the list of sites that COULD be vulnerable.

Probably an identification issue (reuse of IDs)

[diretalk]

No, this should not be an issue with lack of "encryption" in the service. Rather, it is more likely that Facebook issued erroneously the same identification cookies to two different customers, or simply re-used the same ID before the old session had a chance to expire.