A number of Facebook users may have made a detour to China recently on their way to connect with friends.
Some of the network traffic heading to Facebook’s servers in Palo Alto, Calif., was re-routed to first pass through Chinese and Korean servers, according to Barrett Lyon, a network security expert who flagged the incident on March 22. Lyon suggested in a blog post that it was probably an accident.
“This happens all the time-the Internet is just not a trusted network,” Lyon said.
A similar incident surfaced almost exactly a year ago on April 8, 2010, when a Chinese ISP incorrectly published a set of BGP (Border Gateway Protocol) instructions that could have potentially affected 37,000 networks. The incident lasted only 18 minutes, and China Telecom, the country’s largest ISP, denied trying to hijack Internet traffic. Experts speculated it was an accident because of how quickly it was fixed.
Lyon’s analysis was for AT&T customers only. As customers browsed through Facebook, the network traffic first went to Chinanet, one of the largest ISPs in China, and then to SK Broadband in South Korea, before reaching Facebook’s ISP, Lyon said. Usually, traffic from these customers would have gone over the AT&T network directly to Facebook’s network provider.
Lyon used the trace-route tool to discover which network providers the traffic hopped through on its way to Facebook. It’s unclear how long this routing was in place, or whether it affected other ISPs.
While this kind of re-routing can happen “all the time” as network operators can easily make mistakes working with BGP and routing tables, Lyon was still concerned about the incident in light of China’s censorship activities.
“I prefer to know that when I am on AT&T’s network, going to U.S.-located sites, my packets are not accidentally leaving the country and being subject to another nation’s policies.”
China aggressively censors the Internet and activists have worried about the government snooping on their citizens’ online activities. As the government exercises tremendous control over the ISPs, the government can see personal information, intercept email and view online activity.
“What could have happened with your data?” Lyon wrote. “Most likely absolutely nothing.”
Lyon said that “it’s possible” Facebook data, such as session ID information, personal data, messages, photos, chat conversations, and relationship information to “friends” could have been revealed, but noted it was only speculation at this time.
Users who have already enabled HTTPS on their Facebook accounts can breathe a little easily, as their information would have been encrypted during this side jaunt through China. The Secure Sockets Layer means Chinanet could see there was traffic going to Facebook, but would not be able to see the contents of the traffic. Lyon criticized Facebook for rolling this feature out as an optional one, instead of enabling it for all users by default.
Twitter also recently rolled out HTTPS, but it’s also optional. Google uses it by default for its mail.
High-profile sites should also not be allowed to route to non-authenticated networks, he said.
Facebook or AT&T should have notified customers of the problem, Lyon said. Facebook did not respond to requests for comment.
