Symantec says it has plugged hole in Norton Online Backup
Symantec today said it has plugged a hole in its Norton Online Backup service that inadvertently allowed some users to view and access data of alternative Norton Online backup customers.
“On July 30, as portion of our ongoing server maintenance, Symantec made a transformation within the way that they cached certain HTML files and other static assets that, through a short lived misconfiguration, might have led to certain users incorrectly receiving other users’ session cookies,” said Symantec in an announcement today. “These cookies impact the information that’s displayed when a user logs into their Norton Online Backup account.”
IN THE INSIDE TRACK: New NIST encryption guidelines may force fed agencies to interchange old websites
The issue was delivered to the eye of Symantec by at the least one Norton Online Backup user, Bill Howland, who also contacted Network World on Aug. 7 about what he considered a wierd phenomenon that suggested an information breach because he was having access to other people’s files. He wrote via email that he had just purchased the Norton Online Backup product and it didn’t appear to be working right.
“i bought the product an afternoon ago and feature been working with Tech support because the product isn’t working,” Howland told us in an email. “As an aspect effect, I keep logging into Norton backup and i’m randomly ready to access other users data.”
Howland, who provided a screen-shot sample picture of evidence of files he said came from someone named Erico, wrote, “Here we go again — logged in, but these don’t seem to be my computers. i’ve got 100 Gb of storage and currently nothing in storage. Hey, here is neat, i will restore Erico’s files!!! This can be a security breach in my view.”
Later he wrote about how things seemed. “Once I has been connected to other person’s data, my icon and computer name show at the screen for a microsecond, after which they’re replaced with any other person’s icon(s) and computer name(s). This need to be a glitch of their link between their logon and authentication module and the link to the particular storage files which belong to every particular user.”
Howland said he decided to instantly stop using Norton Online backup.
Howland added that a Norton Online Backup technician remotely assisting him in resolving the issues he was experiencing saw the display of the files from another user, but didn’t touch upon it on the time. Howland indicated he provided Symantec with evidence of the information breach. It turned out Howland had indeed identified an issue.
Symantec acknowledges it all started investigating these questions about Aug. 7 and “fixed the problem within 24 hours by rolling the server software back to an earlier state,” though the safety vendor isn’t saying what number of Norton Online Backup customers were impacted. “As of August 8, no further instances of this mistake have occurred.”
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends involving information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.
Read more about wide area network in Network World’s Wide Area Network section.