By Dave Z | Saturday, January 15, 2011 at 11:28 am
At every available opportunity, I partake in airborne WiFi services. Yeah, I know public wireless isn’t the most secure form of connectivity. But, at the same time, I haven’t been bothered to set up a personal tunnel. And I’ll do just about anything to pass the time on a cross country flight… as I did when returning from CES last week. Southwest’s wireless service runs a mere $5 during testing and linking up on my LAS>BWI flight (3140, 1/8) was a no brainer – especially as I hadn’t loaded up my iPhone with content and my Kindle was left at home.
Unfortunately, there’s something not quite right with their Internet connection in relation to Twitter. As you can see, I wasn’t the only one in my account:
The interloper acted in the same manner I would have. Not entirely benign, but mostly benevolent as far as I can tell by merely firing off that lone alert. I’m not so concerned about anything in my archived Twitter direct messages, as it’s mostly boring stuff. I operate under the assumption that everything/anything online can become public at any time. Internet privacy is an easily shattered illusion.
Now it’s possible this person swiped my credentials off the network using something like Firesheep. But I’d expect a person dabbling in such affairs to more proudly proclaim I’d been p0wned. Followed by additional mayhem. So I’m taking him/her at face value and suspect somehow the packets were unintentionally crossed. And at the time there was super high latency on the network. Combined with Southwest’s proxy and framing of every web page (see below, left), I guess anything is possible. Although it shouldn’t be.
At the time of discovery, two hours after the fact, I was obviously startled and the only action I came up with was to delete the tweet. In retrospect, I should have left it be so as to not impact any possible forensic research. And to provide a more compelling post. But the screen grab will have to suffice. Once I deplaned, I changed my unique Twitter password, as a precaution, via aircard.
So consider this post a public WiFi PSA in addition to a security vulnerability notification to Southwest and Twitter. I’ll provide updates if either of them choose to respond.
(Thanks for alerting me, Steve!)
(This post republished from Zatz Not Funny.)
January 15th, 2011 at 12:35 pm
This isn't a security issue. If you're not using Twitter with an SSL-protected session (many Twitter clients can be set to only use the API via SSL/TLS) or within a VPN tunnel, you're essentially spewing your data and tokens out in public, anyway.
It's possible Row 44, Southwest's operator, has its proxy filter set incorrectly, and two separate open Twitter sessions were proxied with the same cookie. That shouldn't happen, but it's possible.
January 17th, 2011 at 4:05 am
You're lucky it wasn't more than your Twitter account. I hope you changed your passwords for every service you logged into during the flight.