Slashdot Mirror
AT&T Leaks Emails Addresses of 114,000 iPad Users
Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"
Accidents happen.
Does anyone think this will cost AT&T anything? Not when you've let the NSA use your phone system for illegal wiretaps.
That was the quid and things like this are the quo.
You are welcome on my lawn.
In the age of Facebook, I wouldn't be surprised that many people just flat out don't care.
why would it affect Apple at all? This was an AT&T issue.
Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?
From a source not being sued by Apple for theft
http://www.pcworld.com/businesscenter/article/198453/should_you_worry_about_the_ipad_3g_data_leak.html
Thank you Slashdot for not running the sensationalist headline found on that other "tech" blog. Kudo's to you for calling it what it is - an AT&T security breach.
Civilization, the death of dreams.
This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.
I put together some more in-depth comments here:
4 Lessons From the AT&T/Apple Data Breach for Smartphone App Developers
--Dan
@danielcornell
By not putting an access control mechanism on a data interface you are essentially granting everyone access. Whether the courts rule this way has nothing to do with the technical and practical realities of the situation.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?
Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.
Not only a poor analogy, but not applicable. A private home or car is considered to be a private, exclusive area unless you explicitly know otherwise. A website is the exact opposite-it's like a storefront, or a restaurant, which a reasonable person would presume to be open to the public unless explicitly marked or set up otherwise.
And if you leave the door to your store unlocked after closing time, and I wander in, yes, that's totally acceptable, and I'm not trespassing unless I stay after you explicitly tell me to leave. Until you do, I'm making a reasonable assumption that a normally public place (a website on the public Internet, or a store) is open to the public (no access control mechanism is in place, or the front door of the store is not locked). If you accidentally leave confidential business records laying on the front counter of the store, and I see them there, I'm also doing nothing wrong-you left them in a public area, I just saw what was there.
At some point, yes, you are responsible to take reasonable security precautions. If you leave things in an area that the public is allowed to access, you can hardly yowl and scream when it becomes publicly known. Now, if you keep it in an area that is not normally accessible to the public and clearly is secured, and someone deliberately cracks in, you are much more likely to have a legitimate grievance. But only then, and this is not such a case. It was laying right out in the open for anyone at all to look at, and someone did.
To fight the war on terror, stop being afraid.
Look in your spam box. Your email address has been leaked to V1agra merchants and worse, a million times over, whether you're an iPad user or not. Let's not act like these were some sort of unsoiled email addresses that have now been deflowered. There are no such things on the internet. Yeah, I don't want these jerks knowing what kind of gear I own, but in the big picture, I'd say that these people need a good spam blocker this week, and they needed it last week too.