Symantec plugged a hole in its Norton Online Backup service that inadvertently allowed users to view and access data of other Norton Online backup customers.
“On July 30, as part of our ongoing server maintenance, Symantec made a change in the way that they cached certain HTML files and other static assets that, through a temporary misconfiguration, may have resulted in certain users incorrectly receiving other users’ session cookies,” Symantec said. “These cookies impact the data that is displayed when a user logs into their Norton Online Backup account.”
The issue came to the attention of Symantec from at least one Norton Online Backup user, Bill Howland, who thought it was strange he was getting access to other people’s files. He said he had just purchased the Norton Online Backup product and it didn’t seem to be working right.
“I purchased the product a day ago and have been working with Tech support since the product just isn’t working,” Howland said. “As a side effect, I keep logging into Norton backup and I am randomly able to access other user’s data.”
Howland said a Norton Online Backup technician remotely assisting him in resolving the problems saw the display of the files from another user, but didn’t comment on it at the time. Howland indicated he provided Symantec with evidence of the data breach. It turned out Howland had indeed identified a problem.
Symantec said it began investigating these questions Aug. 7 and “fixed the issue within 24 hours by rolling the server software back to an earlier state,” though the security vendor isn’t saying how many Norton Online Backup customers suffered from the issue. “As of August 8, no further instances of this error have occurred,” the company said.