Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Leaks Emails Addresses of 114,000 iPad Users

Posted by samzenpus on from the sieve-security dept.

Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

30 of 284 comments (clear)

  1. Bad joke by girlintraining · · Score: 5, Funny

    Wait, the iPad suffered a leak? That's why you always buy pads with wings. (groan)

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:Bad joke by Peach+Rings · · Score: 5, Interesting

      It's going to become news when this hits the courts:

      in what appears to be a legal fashion by querying a public interface

      Since when does the interface being public have anything to do with whether accessing it is legal? The law makes statements about authorized and unauthorized access, not technically possible and technically impossible access. In all hacking crimes the system is happily serving up content exactly as built by the designers, but it's still a crime. In many cases, the system is even working as intended (no buffer overflows and the like) but if unauthorized access is obtained, it's still a crime.

      Does anyone else remember this case that was on slashdot some years ago? A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter. Obviously this destroyed his career.

      This is the text of the law that convicted him.

      a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case

    2. Re:Bad joke by afidel · · Score: 5, Insightful

      By not putting an access control mechanism on a data interface you are essentially granting everyone access. Whether the courts rule this way has nothing to do with the technical and practical realities of the situation.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    3. Re:Bad joke by Moridineas · · Score: 4, Insightful

      So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

      Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.

    4. Re:Bad joke by OrangeCatholic · · Score: 3, Informative

      >A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter

      Wow I just realized what that does.

      That's about the lowest definition of "hacking" you can possibly have. It's more like basic literacy.

    5. Re:Bad joke by Moridineas · · Score: 3, Insightful

      That's exactly the problem.

      Randomly searching directories for non-listed files? Is that a problem? What about typing "/private" to the end of a URL and finding something?

      For instance with this story, it's not clear how the hacking group found the script in question. If it's not publicly listed is it a problem? The second it started returning what is obviously non-public information, is that a problem?

      I completely agree that stumbling across something private on a public website is easy to do. But if the "stumbler" has to do a lot of work to stumble on the information...? (and I absolutely DON'T excuse AT&T for this leak either)

    6. Re:Bad joke by aliquis · · Score: 5, Informative

      Personuppgiftslagen / personal data law

      Google translation (enhanced by hand ..)

      Safety measures
      31 The liable data manager must take appropriate technical and organizational measures to protect the personal data processed. These measures must achieve a level of security that is appropriate with regard to

      a) the technical options available,
      b) what it would cost to implement the actions;
      c) the specific risks involved in the processing of personal data, and
      d) how sensitive the treated personal information is.

      When the liable data manager uses a personal data assistant, the liable data manager must ensure that the personal data assistant can implement the security measures required and ensure that the personal data assistant actually take those measures.

      The regulatory authority may decide on security measures.

    7. Re:Bad joke by icebraining · · Score: 3, Insightful

      Nothing of that should be illegal. Come on, you can set up basic authentication in Apache in five lines in .htaccess.

      Any URL that doesn't require authentication should be fair game, imho. Anything less than that and we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.

      --
      Dilbert RSS feed
    8. Re:Bad joke by laughingcoyote · · Score: 5, Insightful

      Not only a poor analogy, but not applicable. A private home or car is considered to be a private, exclusive area unless you explicitly know otherwise. A website is the exact opposite-it's like a storefront, or a restaurant, which a reasonable person would presume to be open to the public unless explicitly marked or set up otherwise.

      And if you leave the door to your store unlocked after closing time, and I wander in, yes, that's totally acceptable, and I'm not trespassing unless I stay after you explicitly tell me to leave. Until you do, I'm making a reasonable assumption that a normally public place (a website on the public Internet, or a store) is open to the public (no access control mechanism is in place, or the front door of the store is not locked). If you accidentally leave confidential business records laying on the front counter of the store, and I see them there, I'm also doing nothing wrong-you left them in a public area, I just saw what was there.

      At some point, yes, you are responsible to take reasonable security precautions. If you leave things in an area that the public is allowed to access, you can hardly yowl and scream when it becomes publicly known. Now, if you keep it in an area that is not normally accessible to the public and clearly is secured, and someone deliberately cracks in, you are much more likely to have a legitimate grievance. But only then, and this is not such a case. It was laying right out in the open for anyone at all to look at, and someone did.

      --
      To fight the war on terror, stop being afraid.
    9. Re:Bad joke by butlerm · · Score: 3, Insightful

      So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?

      A house door or window is a perfect example of something that is "private" in the legal sense of the term.

      HTTP, on the other hand, was developed primarily to allow people to publish documents for public consumption. If you place a web server on a network wide open to the public and do not protect access to your documents or indicate that you intended to do so with the equivalent of a "no trespassing" sign, you are giving the public an implicit license to view what you publish. HTTP is a publishing system after all. The similarity between "publish", "public", and "publication" is not coincidental. An implied license means authorization.

      The law concerning electronic communications "interception" is relevant here:

      "It shall not be unlawful under this chapter or chapter 121 of this title for any person -- (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;" (18 USC 2510 (g))

      If you operate a web server that is "configured so that such communication is readily accessible to the general public" you have granted an implied license as strong as the one you have to listen to a run of the mill FM radio channel.

    10. Re:Bad joke by tehcyder · · Score: 4, Informative

      Since the meaning of "hacker" has changed from "someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code" to "electronic burglar", who do we now call someone who modifies devices to do things they weren't designed to do, or writes quick and dirty computer code?

      We still call ourselves hackers, and revel in the thrill that outsiders think we are elite master cyber-criminals who get blowjobs while typing quickly on our keyboards, like in that film with Halle Berry.

      --
      To have a right to do a thing is not at all the same as to be right in doing it
  2. Goatse? Really? by ewoods · · Score: 5, Funny

    Ok, "goatse" in a story, followed by a link... Is anyone really going to click it without hesitation?

  3. Re:Goatse? Really? by Anonymous Coward · · Score: 3, Funny

    What's even better is that the first 3 words of the headline are "AT&T's Gaping Hole".

  4. Oh well... by PopeRatzo · · Score: 4, Insightful

    Accidents happen.

    Does anyone think this will cost AT&T anything? Not when you've let the NSA use your phone system for illegal wiretaps.

    That was the quid and things like this are the quo.

    --
    You are welcome on my lawn.
  5. Re:Goatse? Really? by Ethanol-fueled · · Score: 5, Informative

    For those of you who don't get it, Goatse Security is a division of the great Gay Niggers Association of America.

    I'm not fucking joking.

    Additionally, this may be a Slashdot first: The GNAA first post is actually the article itself.

  6. Re:Goatse? Really? by mavasplode · · Score: 4, Funny
    FTA:

    Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled,

    nuff said

    --
    ACTUAL SIZE!!!
  7. Re:Goatse Security by SolidAltar · · Score: 5, Funny

    The funniest part of this entire story is that news organizations are either completely clueless as to what Goatse is, or refuse to mention it.

    But some people are going to google it anyway.

    The person who leaked this is a true internet superhero.

  8. Re:Bad move, Apple by Titoxd · · Score: 4, Insightful

    In the age of Facebook, I wouldn't be surprised that many people just flat out don't care.

  9. Re:Doesn't Matter by aesiamun · · Score: 4, Insightful

    why would it affect Apple at all? This was an AT&T issue.

  10. Re:Doesn't Matter by Wyatt+Earp · · Score: 5, Insightful

    Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?

    From a source not being sued by Apple for theft

    http://www.pcworld.com/businesscenter/article/198453/should_you_worry_about_the_ipad_3g_data_leak.html

  11. Re:Goatse Security by Titoxd · · Score: 5, Funny

    Goatse Security: We will show you every gaping hole in your security!

  12. Re:Bad move, Apple by Red+Flayer · · Score: 4, Informative

    I sometimes wonder why Apple hasn't moved away from it's exclusive relationship with AT&T.

    Contractual obligations. Here's some info.

    Basically, Apple signed a five-year deal in 2007 because they badly needed a carrier who was willing to sink many millions into the release.

    Here's the thing that sucks for early adopters: If you bought in '07, you had to sign a two-year deal with AT&T. Par for the course for a phone the way we've got it structured in the US. But after your two years are up, you'd still be stuck with AT&T for another three years due to the 5-year deal they have with Apple. Either that, or jailbreak your phone, etc.

    Practically, though, the extra three years are no big deal for the early adopters... surely most of them would move onto a new phone after two years, since they are early adopters.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  13. Thank you... by xgadflyx · · Score: 4, Insightful

    Thank you Slashdot for not running the sensationalist headline found on that other "tech" blog. Kudo's to you for calling it what it is - an AT&T security breach.

    --
    Civilization, the death of dreams.
  14. You are more right than you know. by tak+amalak · · Score: 5, Funny

    anyone with half a brain has a droid anyway.

    Couldn't have said it better myself.

    --
    Don't lead me into temptation... I can find it myself.
  15. Re:Goatse Security by cosm · · Score: 5, Funny
    I willing to bet the writers / editors of the dailytech story knew exactly the wide open possibilities of this exploit's verbiage flexibility, FTA:

    The title:

    AT&T's Gaping Hole Exposes...

    and

    ... before reporting this gaping hole to AT&T...

    and this gem:

    Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled

    Goatse FTW.

    --
    'We are trying to prove ourselves wrong as quickly as possible, because only in that way can we find progress.' RPF
  16. Smartphone Developers: Take Note by dancornell · · Score: 5, Insightful

    This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.

    I put together some more in-depth comments here:
    4 Lessons From the AT&T/Apple Data Breach for Smartphone App Developers

    --Dan
    @danielcornell

  17. Re:Goatse Security by Anonymous Coward · · Score: 5, Funny

    Goatse Security: We will show you every gaping hole in your security!

    "That guy who leaked 114,000 emails? What a big asshole!"

  18. Re:Goatse? Really? by morgan_greywolf · · Score: 5, Informative

    Ummmm...apparently, actually true. It really is a division of the GNAA. Makes me wonder how accurate this story is.

    --
    My blog
  19. Corporate-speak by Stiletto · · Score: 4, Funny

    'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

    A classic textbook non-response from a corporation's P.R. machine. A guide, for those unfamiliar with the terminology:

      * "We continue to..." / "We are continuing..." - Translation: We're not doing a thing

      * "investigate" - Translation: To lawyer-up and get paperwork straight for a lawsuit

      * "may have" - Translation: "did"

      * "been obtained" - Translation: given out by us through incompetence

      * "We take XYZ very seriously" - Translation: It only comes up in meetings when emergencies happen

      * "we have fixed this problem" - Translation: We fired the employees who told us this problem would happen

      * "we apologize" - Translation: We admit no legal wrongdoing

      * "customers who were impacted" - people who paid us for the pleasure of a good corporate rogering

    Why anyone even reads press releases by companies anymore, one can only guess. You'll hear those catch phrases in every one.

  20. I hate to break it to everyone, but... by Dr.+Spork · · Score: 4, Insightful

    Look in your spam box. Your email address has been leaked to V1agra merchants and worse, a million times over, whether you're an iPad user or not. Let's not act like these were some sort of unsoiled email addresses that have now been deflowered. There are no such things on the internet. Yeah, I don't want these jerks knowing what kind of gear I own, but in the big picture, I'd say that these people need a good spam blocker this week, and they needed it last week too.