On January 15th, AP carried a story about a woman who was connected with an unknown Facebook account (Read Article). She didn't hack into the account, she simply went online, connected to Facebook and was greeted with a a smiling face - unfortunately, it wasn't her own. She called her friends and at least one of them experienced the same problem - though this person was granted access to a completely different Facebook account. Both were using the AT&T wireless network.

AT&T spokesman Michael Coe is quoted saying that "its wireless customers have landed in the wrong Facebook pages in "a limited number of instances" and that a network problem behind those episodes is being fixed".

So everything is fine? Case closed? Not so fast. First let's look into the details of this problem.

Most websites (not only Facebook) use "Cookies" for authorization and other purposes. Cookies are small pieces of data that are created by a website, transmitted to you and automatically stored on your computer. Whenever you return to that website, your computer will re-send the Cookie to it and you are authenticated. For security reasons, your computer will make sure that all Cookies are only sent to the originating website. So, if, say, Facebook sends you a Cookie, your computer will send it only back to Facebook. This is very important because whoever has your "Cookie" can use it to login to your account - even without password. Cookies are only exchanged directly between a website and your browser - the Cookie is a 'key' and your browser knows which 'key' to use for what 'lock' (website). Though it is not perfect, it's a pretty save method.

Unless there's a man in the middle.

In cryptography, the man-in-the-middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. (Source: Wikipedia)

Should the "man in the middle" lose track of which data to send where, Cookies are fumbled and people are able to view (and modify) other peoples profiles. Is that what AT&T calls a "network problem"?

But this "network problem" uncovered a shocking and almost unbelievable truth: There is a "man in the middle" in AT&Ts wireless network. In other words: Somebody (most likely an organization or company with three letters in it's name) may have all Cookies and, by definition, access to all accounts. Not only on Facebook, but on each and every website that is using Cookies for authorization. All the data stored in social or business websites, on your email-accounts, maybe even your banks website - in plain view to, well, whoever it is.

What can you do?

Well, you may want to finally surrender your privacy once and for all. Take a piece of paper, write down all your usernames and passwords and mail them to AT&T. That saves a lot of data storage. And you will never again be tempted to expect any 'online' privacy again. Or you can make sure to use HTTPS (Hypertext Transfer Protocol Secure). Never connect to a website by typing 'website.com'. Type 'https://website.com' - like https://www.facebook.com. Your data will now be encrypted and the "man-in-the middle" can't use your data (including your Cookies).

If a warning pops-up - don't use the website. If you can't connect to a 'https' website - don't use it. But it must be HTTPS (notice that 's' at the end - that's for 'Secure'). Make sure the website doesn't re-route you to a different address without the 'https' in front of it.

All of your current accounts are already compromised. Will it help to change your password? That depends on the website - but is surely doesn't hurt. Keep an eye on the "visit tracker". Most websites tell you how many times you have visited. Write it down and check if it increases without you logging in.

Support the Electronic Frontier Foundation (Go There) and let them help to defend your digital rights. Unless of course, you have no problem with 'you know who' sharing your data with 'you know who' ...