As is becoming all too common, yet another embarrassing security breach has happened to AT&T. This time, some trying to order the new iPhone 4 found themselves logged into the accounts of other users.
Apparently the reason for this huge security breakdown could have been caused by “session exhaustion from so many people logging into AT&T’s site. “I’ve seen similar behavior across different websites over the years, particularly among those under extreme application load to the point where the site is barely reachable,” said Jeremiah Grossman, a Web security researcher and chief technology officer of WhiteHat Security.
“Unfortunately — even amazingly — web browsers aren’t really designed to do session management well. Developers have to bolt session support in, and more often than not, there are issues. The web application for the iPhone preorder page probably worked fine with small numbers of users. But at the scale we saw the other day, the bolted on session management fell over, causing the issues seen,” said Dan Kaminsky, the security researcher. “A sedan is designed for driving on the highway, while a 4×4 is designed for off roading. That doesn’t mean you can’t take the sedan off-roading…but it’s going to have some issues.”