AT&T fixes bug that logged users into random Facebook accounts
By Nilay Patel 
posted January 18th 2010 11:04PM
posted January 18th 2010 11:04PM
Okay, so we were under the impression that Facebook login credentials were a locally-managed affair, but it looks like almost anything can break when AT&T's involved -- according to CNET, the carrier just fixed "several problems" that had users logging into the wrong Facebook account from their phones. The issue was apparently related to subscriber identification numbers being mistranslated into bad URL session IDs, and AT&T says it's taken some security measures to prevent it from happening again, while Facebook's just shut off the automatic login feature that used the ID number entirely. Excellent work all around. Unfortunately, there's also a pesky incident in Atlanta where someone was able to login to another Facebook account from an AT&T phone due to a bad cookie, but AT&T says that was an "isolated" case and that it's "unclear how this cookie was set on the phone." How very reassuring. Back to Friendster!
Why does Facebook allow people to login with an ID only? This seems like a really poor idea to start with. If they thought there wasnt a way to exploit this they found out that even the idiotic carriers were on the side of the hackers with their incompetance.
@fatslug I tested this theory and you can use an email that has a URL to log into someone's facebook. Basically, if your friend receives a facebook email and leaves his email open, you can use that to log in as him and do whatever the fuck you want without needing to enter his password.
Secure, huh?
@(Unverified) fortunately someone else logging into your account usually just means your status implies you are a homosexual. at least that is my experience.
@fatslug
facebook is all about keeping your friends in touch. Sorry to hear your friends are morons.
@(Unverified)
Yeah, secure...
If you're friend is dumb enough to leave his e-mail open, he's probably dumb enough to tell you his password to Facebook. Someone leaving their e-mail open should be grounds calling Facebook's security poorly implemented. The reason it's okay to have URLs that will just log you in is because they're usually extremely long, and the chance of someone guessing that URL is a virtual impossibility, especially in comparison to just guessing someone's account password.
Don't get me wrong, I still hate Facebook though...
HAPPY FUCKING FRIDAY!
Wait. why would i use safari when i have a native app that is much better?
@intrglctcrevfnk
not just that, even the mobile facebook page has more capabilities (although it looks worse) than the touch page
and all this time I though I was 1337 getting into others accounts. DAMN you ATT ..for pee'ing in my cornflakes
What's next, allowing people to log in to my bank account? Thanks a lot, bin Laden!
Looks like they where caching even sensitive information in an effort to save bandwidth. ATT can't handle it.
@(Unverified)
all jokes aside, AT&T's network data usage went up 4000% since the launch of the iPhone 3G
I applaud their efforts to keep their sanity under that stressful, unprecedented growth in data usage on their network.
@Drybones5 And I applaud their money blinded minds for failing to predict and prepare for an issue that was so obvious. "The iPhone, popular? Network Congestion? Derrrrrr"
@Valicore
They probably saw that coming but who in hell would predict a 4000% rise in data usage.
no one
@Drybones5 if that number is correct i kinda feel bad for ripping on them in the past. i don't care what network it is, if usage goes up by 4000% you are going to have issues. if the iPhone went to Verizon they would have the same problem and they would have Luke Wilson on TV promos.
@Drybones5 Well, if you accept at&t's claims that 3% of users use 40% of the bandwidth... then...well... somebody should have been able to predict it, because that is why they locked up an exclusive deal... isn't it?
And the 3G is now... 18 months out of the gate? Of course rather than adding to their infrastructure, Mr De La Vega sees the answer as "teach people to use less of the unlimited bandwidth they are paying for."
Soon we're going to need Antivirus and identity theift products for Facebook and phones....
2010 looks like a promising year of malicious hackers saying F*** YOU to smartphones. amirite?
@Drybones5 AV already exists for phones. Same with firewalls.
Lookout Mobile is one solution for AV/firewall/lost/stolen device protection, along with the hordes of other apps for WinMo/Android/iPhone/Symbian. Hell, even a couple years back I recall NTT DoCoMo handsets had built-in McAfee technology.
@dragonfli
McAfee is teaming up with Facebook to work on facebook security
@Drybones5
Most malware these days are installed by naive users clicking 'here', a problem compounded by companies like MS thinking the solution is to bombard users with even more useless pop-ups which re-enforces their click whatever to make it go away attitude, as long as that is the problem, anti-virus software is only ever going to be a mediocre solution.
Slow night at Engadget? Just dip into the back log of AT&T complaints.
@Jeff We have to vent our anger at some point. Spamming people with angry Facebook statuses is just harrassing, I applaud Engadget for giving me this oppurtunity. Thank god I'm on my slow Comcast connection rather than my slower AT&T connection so this Engadget app actually loads on my iPhone. Fuck you AT&T!
the good thing is, theres so many accounts out there, whats the chance of some idiot loging in to your account?
AT&T is truly fucking awful. I would not weep if their headquarters burned to the ground.
@HurricaneDC that would be one way to avoid my termination fee...
I lol'd when I read title... Shame on you AT&T
That could create some awkward wall posts.
"but it looks like almost anything can break when AT&T's involved"
LOL. Quote of the month material for sure.
Going along with all the other Engadget conspiracies, is Engadget hinting to a price for the iSlate?
Excuse me but,
ahahhahahahahahah
Cookie Monster strikes again!
Back to friendface!
http://www.youtube.com/watch?v=6rNgCnY1lPg
Guys, this happened to me several months ago. Found myself in another users' Facebook account on my cell phone. I could have done anything to that guy's profile. I could have eliminated all his friends, his inbox, done or said things while disguised as him, changed his email or deleted his account completely!
I'm a nice guy though - I just logged out and then logged back in and found myself once again where I belonged. I can only hope someone else does the same if they find themselves accidentally logged into my account.
SHAME ON AT&T FOR THIS BLUNDER!
All this time I thought I actually had 1,394 friends, only to find out it's not actually my Facebook I'm logged into. Way to crush my dreams of pseudo-popularity AT&T.
Lol. I knew something was up when I logged into my facebook and realized that I was a 17 year old girl from MN. I just started coming on to all of her female friends. It was a early sunday morning! A hell of a lot better than going to church, I must say.
Now, if only Comcast would fix the bug in its app that occasionally "replies" e-mails to the wrong recipient!!
It's happened to me twice, and could have disastrous consequences!!
Is Friendster any good?