Symantec says it has plugged hole in Norton Online Backup

Symantec today said it has plugged a hole in its Norton Online Backup service that inadvertently allowed some users to view and access data of other Norton Online backup customers.

"On July 30, as part of our ongoing server maintenance, Symantec made a change in the way that they cached certain HTML files and other static assets that, through a temporary misconfiguration, may have resulted in certain users incorrectly receiving other users' session cookies," said Symantec in a statement today. "These cookies impact the data that is displayed when a user logs into their Norton Online Backup account."

IN THE NEWS: New NIST encryption guidelines may force fed agencies to replace old websites

The issue was brought to the attention of Symantec by at least one Norton Online Backup user, Bill Howland, who also contacted Network World on Aug. 7 about what he thought to be a strange phenomenon that suggested a data breach because he was getting access to other people's files. He wrote via email that he had just purchased the Norton Online Backup product and it didn't seem to be working right.

"I purchased the product a day ago and have been working with Tech support since the product just isn't working," Howland told us in an email. "As a side effect, I keep logging into Norton backup and I am randomly able to access other users data."

Howland, who provided a screen-shot sample picture of evidence of files he said came from someone named Erico, wrote, "Here we go again -- logged in, but these are not my computers. I have 100 Gb of storage and currently nothing in storage. Hey, this is neat, I can restore Erico's files!!! This is a security breach in my opinion."

Later he wrote about how things seemed. "When I have been connected to other person's data, my icon and computer name show on the screen for a microsecond, and then they are replaced with the other person's icon(s) and computer name(s). This must be a glitch in their link between their logon and authentication module and the link to the actual storage files which belong to each particular user."

Howland said he decided to immediately stop using Norton Online backup.

Howland added that a Norton Online Backup technician remotely assisting him in resolving the problems he was experiencing saw the display of the files from another user, but didn't comment on it at the time. Howland indicated he provided Symantec with evidence of the data breach. It turned out Howland had indeed identified a problem.

Symantec acknowledges it began investigating these questions on Aug. 7 and "fixed the issue within 24 hours by rolling the server software back to an earlier state," though the security vendor isn't saying how many Norton Online Backup customers were impacted. "As of August 8, no further instances of this error have occurred."

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts