2007-07-31

Facebook identitiy crisis

One of the first things I do in the morning before my shift starts at work; tea (milk no sugar), shift handover call with my counterparts in the United States and then a swift check-in with my friends and colleagues on Facebook. This morning something was wrong however ...

When loading Facebook I noticed that the email address login prompt was already populated with an email address that wasn't mine. As if someone had used my laptop, not likely, those that know me will know that I am paranoid about security, my Firefox settings are so secure I have problems bookmarking sites. I figured this must be server side populated via a caching proxy server and that a successful login would change this. I logged in.

After logging in I noticed I had messages, yay! I love messages, probably because it means I have friends! Maybe ... although it suddenly dawned on me that the messages I had were not my own, in addition to this, I was no longer viewing my profile but someone else's profile. A glitch? Apparently not, at the time of discovery I was the only one in my office, later this morning it became apparent that all my work colleagues were experiencing the same issue. We were able to view the private details of employees across the globe seemingly cached by our proxy servers. I quickly escalated this to the highest levels and it is being investigated, however it is becoming increasingly apparent that this is the case in other companies also. Word of mouth prevails but so far I seem to be the only one to mention this.

I have had various conference calls this morning with our network security, global network and regional IT security managers and colleagues. I don't think I have seen this much activity since BugBear!

I'm refreshing my profile now, apparently I am now a female in the UK who is engaged to be married, my messages would indicate I'm having second thoughts, my credit card details? Yup, you guessed it, it's ALL there!

I am assuming at this stage that Facebook have made changes to their session based authentication methods ... I should imagine they will be quick to resolve the issue once known, but I would not imagine that the publicity will do them much good with their pending court case in eight days.

CURRENT DAILY VEND STATUS: PARANOID

1 comment:

James O'Gorman said...

UPDATE: According to Slashdot (http://www.theregister.co.uk/2007/07/31/facebook/)