Symantec says it has plugged hole in Norton Online Backup

Symantec today said it has plugged a hole in its Norton Online Backup service that inadvertently allowed some users to view and access data of other Norton Online backup customers.

"On July 30, as part of our ongoing maintenance, Symantec made a change in the way that they cached certain HTML files and other static assets that, through a temporary misconfiguration, may have resulted in certain users incorrectly receiving other users' session cookies," said Symantec in a statement today. "These cookies impact the data that is displayed when a user logs into their Norton Online Backup account."


The issue was brought to the attention of Symantec by at least one Norton Online Backup user, Bill Howland, who also contacted Network World on Aug. 7 about what he thought to be a strange phenomenon that suggested a data breach because he was getting access to other people's files. He wrote via email that he had just purchased the Norton Online Backup product and it didn't seem to be working right.

"I purchased the product a day ago and have been working with Tech support since the product just isn't working," Howland told us in an email. "As a side effect, I keep logging into Norton backup and I am randomly able to access other users data."

Howland, who provided a screen-shot sample picture of evidence of files he said came from someone named Erico, wrote, "Here we go again -- logged in, but these are not my computers. I have 100 Gb of storage and currently nothing in storage. Hey, this is neat, I can restore Erico's files!!! This is a breach in my opinion."