On January 16th the Associated Press released an exclusive report on a glitch in the AT&T network routing infrastructure that sent users straight into the Facebook accounts of total strangers. Three women in Georgia reported that when they used their cell phones to visit Facebook they found themselves in other user's accounts. Without ever being prompted for a username or password they had complete control of the accounts and all of the user's personal information.
The Associated Press article suggested problems within the AT&T network infrastructure as the culprit. AT&T admitted to a "limited number" of these incidents, but said the problem is being fixed. However, this particular glitch is not just a simple fix according to security experts, nor is it a problem that's likely exclusive to AT&T or Facebook.
According to experts, the problem is due to cookies, those little information packets that are stored on both the device and the Web site to identify users. Apparently cookies on the AT&T network were being routed to the wrong phones, so when the phone's Internet browser landed on the Facebook page, the site recognized the cookie and immediately opened the account without prompting for a log-in. AT&T said it doesn't know how the cookies were misdirected and that, because two of the women had logged out of the accounts prior to investigation, they could only verify one of the incidents.
These women weren't the only ones reporting this problem. A man in Vancouver, WA went to Facebook last November and landed in the account of a young woman, he found her email address and sent her a message. Not only did they find that they had never met, but that she had gotten logged into his account as well. And they were both using AT&T phones to access their Facebook accounts.
AT&T isn't responding about incidents that weren't directly reported to them and Facebook is directing all questions back to AT&T. That's not surprising considering that AT&T is in the middle of an on-going war with Verizon. That's big news. This story is just a small blip in comparison and most media outlets aren't reporting it…yet. The Atlanta Journal Constitution finally picked the story up on January 19th. A little late considering that it's a national story involving local residents, but Gay Atlanta has far more pressing concerns right now.
And Facebook has had a lucrative, yet volatile year. They've had to deal with the koobface virus, highly publicized incidents, from hacking to privacy complaints, users losing jobs and health benefits due to their own stupidity when posting their off-hour shenanigans, complaints about their bosses, even Bill Gates threw his hands in the air and announced that he was out of there due to the thousands of friend requests he had coming in from people he didn't know. Not to worry. He's back now. No one knows why, but I suspect it would be difficult to pass up the opportunity to annoy Steve Jobs and Steve Wozniak by out-friending them.
Facebook has opened up a whole new world for many of us. People who didn't even own a computer six months ago are now plugged-in and logged-on. It's a site that makes us feel like we're wrapped in the virtual bosom of a loving Ethernet family. It has allowed us to re-invent ourselves. Re-write the past. Him: no longer the kid with food stuck in his braces but a high-powered CEO or a successful entrepreneur. Her: not "big boned" anymore, she's a hardcore marathon runner who posts ten times a day about what she's cooking for the high-carb diet she's forced to endure. We've felt secure in the midst of those we love, admire and lie to daily (sometimes hourly) about how wonderful our lives are — and they believe us, and reciprocate in kind.
But in the past year a dark cloud began to gather over our beloved FB, stealthy interlopers who wanted to steal our joy. Trolls rising from the bowels of Internet dungeons. They made Facebook have to do the unthinkable — change stuff! And people were not happy. They complained a lot. They wanted it to go back to the way it used to be. Change sucks.
It's little wonder that Facebook decided to clam up and direct complaints back to AT&T, they had just made the Big Announcement a few days before AP's story broke that they were giving everybody free stuff. People like free stuff. Free stuff is good (unless you've ever tried to kick an expired McAfee App off of your computer, but that's a post for another time — probably about six months from now when those free trial downloads start demanding payments in pop-up windows every two minutes).
Facebook trashing has become a sure-fire way to generate hits. It always delivers. Few people bother to click on an article about an AT&T network failure. Everybody clicks on an article about a Facebook security threat, because everybody has Facebook — and we're all terrified of it. Not surprisingly, when ABC News picked up the AP story on the same day they didn't run it with AP's dreary headline "Network flaw causes scary Web error". Yawn. Boring. Who writes this stuff? They ran with something far more spectacular, much more likely to get hits — and with proper capitalization, "Facebook Glitch Causes Unfriendly Security Error". It's exactly the same story. Word for word. Except the headline. And according to my own personal guru-God of Internet SEO, that, my friends, is what makes giants. You probably wouldn't even be reading this right now if I hadn't put Facebook in the title.
In all seriousness, it's a shame and a disservice that the media have treated this problem so narrowly. Just another Facebook problem. Just another AT&T problem. Ultimately what this glitch has exposed is a problem that has zero day implications. Implications that go well beyond Facebook security issues or AT&T network failures. The grumblings of security experts suggest that this could well be a warning shot across the bow for mobile gadget addicts. Our demand for bigger, faster, cooler bandwidth sucking gadgets can overwhelm our resources. It's a problem that can effect any Mobile Internet Service where mass traffic is routed through a single point. It can happen on any Web site that doesn't use encryption. That means many email services are at risk as well as sites that allow users to log-in via mobile devices and create a cookie to stay logged in.
Most online banking sites are encrypted and if you close the browser or are inactive for a period of time you are automatically logged out. Which is good. We like that. We like knowing that our banking data is secure, that no one sitting down at the computer after us can open the browser and find us still logged in. But we've chosen convenience over security in other areas of personal data. We don't want to have to log in each time we check our email accounts, we want our phones to notify us when we have incoming messages, we've come to rely on those cookies for business and for recreation.
This is not just about a failure on the part of one cell phone company to keep their data organized. We all want more cell towers, just not in our neighborhoods, so more and more cell companies are sharing towers. And our addiction to mobile gadgets just keeps growing. It's also about the way most sites are choosing to give us what we want even if it's bad for us. It's about our stubborn habit of preferring intentional ignorance over having to make a change. Intentional, because if you acknowledge that you're taking stupid risks you'll have to do something about it. Ignorance is bliss. I can't hear you, I have my fingers in my ears. LaLaLaLaLa.
The hard, cold truth is that we have to start using technology more responsibly. We need to teach our children to do the same. Just imagine how many times a kid has used someone else's computer to visit MySpace or check their email and didn't bother to log out. That's a conversation parents should have with their kids. Letting someone else gain access to those personal conversations can have devastating and humiliating consequences. Changing any habit takes commitment. It takes intention, self-discipline and repetition.
In a perfect world, cellular companies would spend more money on building solid networks and less on creating new devices and ads to sell them, all Web sites would use encryption, and we would get used to logging in with each visit. But we don't live in a perfect world. For now, the best we can do is try to choose encrypted sites whenever possible, sites that use https instead of http (Google has now made https the default protocol for GMail, go to settings to make sure you're protected), and make it a habit to always log out before closing the browser on your phone or any other mobile device.