AT&T Leaks Emails Addresses of 114,000 iPad Users 284
Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"
Oh well... (Score:5, Insightful)
Accidents happen.
Does anyone think this will cost AT&T anything? Not when you've let the NSA use your phone system for illegal wiretaps.
That was the quid and things like this are the quo.
Will consumers actually care? (Score:3, Insightful)
I'm not a consumer, and least of all a gadget one. I'm a business guy and I like business toys. And when I buy a business toy, I consider the brand and the source, and almost always pay more to get the better source -- especially when the product/service is otherwise identical.
But when have you seen a consumer choose to buy an iPad from a source that's $10 more expensive than another they've found? Anyone here have friends who choose to pay more? Anyone have friends who chose an iPad from not AT&T because they actually thought about the AT&T factor? I'd bet otherwise.
Oh joy, another spam list... (Score:2, Insightful)
Re:Bad move, Apple (Score:5, Insightful)
Gawker Being Gawker (Score:2, Insightful)
Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed.
Is it? Is it really? Or is this just Gawker being Gawker and making things up? Emails, folks. That's it. Emails. You're on some public list alread, emails are not "confidential".
Re:Doesn't Matter (Score:4, Insightful)
why would it affect Apple at all? This was an AT&T issue.
Re:Doesn't Matter (Score:5, Insightful)
Since this was a flaw in AT&T's security, despite Gawker's attempt to make it Apple's fault, why the hell would or should it affect Apple's image?
From a source not being sued by Apple for theft
http://www.pcworld.com/businesscenter/article/198453/should_you_worry_about_the_ipad_3g_data_leak.html [pcworld.com]
Thank you... (Score:4, Insightful)
Why punish the users? (Score:2, Insightful)
I'm surprised nobody else has commented how offensive it is that the group that found the leak published the email addresses. By all means publish the fact of the breach, get pie on AT&T's face, but why punish the users? That's just mean.
Re:Goatse? Really? (Score:2, Insightful)
But it turns out that my troll mods may have been deserved: I spelled it out like Gay Niggers Association of America instead of Gay Nigger Association of America, which is correct.
My bad, guys. Keep up the good work. I'd join your public affairs department if I weren't so damn busy these days...
Smartphone Developers: Take Note (Score:5, Insightful)
This is certainly a high-profile breach, but not apparently immediately catastrophic. However, it does provide a number of lessons for organizations and developers building smartphone applications (iPhone, iPad, Android, Blackberry, Windows Mobile, etc) All of the issues with the AT&T/Apple infrastructure for the iPad are known web application security issues. Smartphone developers need to learn from the past or they are going to repeat the mistakes of web application and AJAX/RIA application developers.
I put together some more in-depth comments here:
4 Lessons From the AT&T/Apple Data Breach for Smartphone App Developers [denimgroup.com]
--Dan
@danielcornell
Re:Bad joke (Score:5, Insightful)
Re:Goatse? Really? (Score:3, Insightful)
Re:Bad joke (Score:5, Insightful)
So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?
Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.
Re:Bad joke (Score:2, Insightful)
So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?
Not a perfect analog at all as on the web such access can be committed easily and accidentally, but I think the point remains.
I usually just pass these type of posts by, but I must say that walking into someones house or climbing in a windows is totally, not even close to accessing a PUBLIC interface on a web site.
A house or a window is quite obvious that you don't belong, but come on, how are you supposed to know that a PUBLIC interface was NOT meant to be PUBLIC.
Give me a freaking break. The point is pointless.....
Re:Bad joke (Score:4, Insightful)
That's exactly the problem.
Randomly searching directories for non-listed files? Is that a problem? What about typing "/private" to the end of a URL and finding something?
For instance with this story, it's not clear how the hacking group found the script in question. If it's not publicly listed is it a problem? The second it started returning what is obviously non-public information, is that a problem?
I completely agree that stumbling across something private on a public website is easy to do. But if the "stumbler" has to do a lot of work to stumble on the information...? (and I absolutely DON'T excuse AT&T for this leak either)
Re:Bad joke (Score:4, Insightful)
Nothing of that should be illegal. Come on, you can set up basic authentication in Apache in five lines in .htaccess [cyberciti.biz].
Any URL that doesn't require authentication should be fair game, imho. Anything less than that and we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.
Re:Doesn't Matter (Score:3, Insightful)
why would it affect Apple at all? This was an AT&T issue.
I admit, I don't own an iPad so I might be slightly mistaken as to how this works but from the summery it mentions that Apple is the one that 'users, who must provide the company with their email addresses to activate their iPads' which indicates Apple is the wanting the email, not AT&T. Now if Apple wants the emails, why would if have a 3rd party (AT&T) hold on to this data and not just upload it all to their servers every few hours and delete the AT&T server of this information? Now, if Apple is the one who wants the emails then I'd view it to be more Apples fault for not being in more control over the information it is requesting from its customers.
Re:Bad joke (Score:3, Insightful)
Given they wrote a script to automatically generate SIM IDs which could then be passed to retrieve another email address, I suspect they were well aware that this was data they should not be accessing.
There was no need to retrieve over 100,000 addresses before notifying AT&T nor was there any need to share the security hole with others as was also done.
The leak shouldn't have been there, but the responsible thing to do upon discovery is report it, not exploit it.
Re:Bad joke (Score:3, Insightful)
Re:Bad joke (Score:1, Insightful)
It's more like being arrested for trespassing after the fact when all you did was walk in the store and look around.
Re:Bad joke (Score:3, Insightful)
I had a friend who did that a great deal.
The world friend being used with a good deal of imagination as well.
Often he would return the merchandise to the store and explain how he wasn't really happy with the goods he acquired. He would then get store credit and usually sale the card off. This is of course all hearsay because I never witnessed the behavior.
Then one day I bumped into my "friend" at a Wal-Mart and I thought it would be a good idea to give him a good friendly greeting.
While next to an attendant I shouted, "Hey Scott! Have you gained weight buddy or is your coat filled with things you are currently taking from the shelves!"
Unfortunately, my "friend" had a very important appointment to attend to and consequently began running very quickly towards the exit. The very friendly staff caught up with him probably to inform him of some item on sale.
Re:Bad joke (Score:5, Insightful)
Not only a poor analogy, but not applicable. A private home or car is considered to be a private, exclusive area unless you explicitly know otherwise. A website is the exact opposite-it's like a storefront, or a restaurant, which a reasonable person would presume to be open to the public unless explicitly marked or set up otherwise.
And if you leave the door to your store unlocked after closing time, and I wander in, yes, that's totally acceptable, and I'm not trespassing unless I stay after you explicitly tell me to leave. Until you do, I'm making a reasonable assumption that a normally public place (a website on the public Internet, or a store) is open to the public (no access control mechanism is in place, or the front door of the store is not locked). If you accidentally leave confidential business records laying on the front counter of the store, and I see them there, I'm also doing nothing wrong-you left them in a public area, I just saw what was there.
At some point, yes, you are responsible to take reasonable security precautions. If you leave things in an area that the public is allowed to access, you can hardly yowl and scream when it becomes publicly known. Now, if you keep it in an area that is not normally accessible to the public and clearly is secured, and someone deliberately cracks in, you are much more likely to have a legitimate grievance. But only then, and this is not such a case. It was laying right out in the open for anyone at all to look at, and someone did.
Re:Bad joke (Score:3, Insightful)
To reasonably extend your analogy, they didn't come in through the front door - they came through the tradesman entrance. Services (trades) were expected to come through this interface not the general public. It is like testing the front door, finding yes you can come in but no you can't have that information and then finding that they left the services door unlocked and decided to waltz through there and get the information they were previous denied. Both are "public" entrances in the sense that they aren't strictly private to the organisation or it's employees (anyone might go up to the services entrance and knock) but not all may enter and it could be considered illegal to enter without permission. They may exist on the same shop front (perhaps a smaller door or slightly to the side) to complete your analogy or they might be better hidden.
Re:Bad joke (Score:4, Insightful)
So if you forget to lock your house door or window, or a car door, or accidentally leave a window open, etc, it's ok for anybody to enter your house and look around?
A house door or window is a perfect example of something that is "private" in the legal sense of the term.
HTTP, on the other hand, was developed primarily to allow people to publish documents for public consumption. If you place a web server on a network wide open to the public and do not protect access to your documents or indicate that you intended to do so with the equivalent of a "no trespassing" sign, you are giving the public an implicit license to view what you publish. HTTP is a publishing system after all. The similarity between "publish", "public", and "publication" is not coincidental. An implied license means authorization.
The law concerning electronic communications "interception" is relevant here:
"It shall not be unlawful under this chapter or chapter 121 of this title for any person -- (i) to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public;" (18 USC 2510 (g))
If you operate a web server that is "configured so that such communication is readily accessible to the general public" you have granted an implied license as strong as the one you have to listen to a run of the mill FM radio channel.
I hate to break it to everyone, but... (Score:5, Insightful)
Re:Bad joke (Score:3, Insightful)
You REALLY wouldn't be pissed-off if this was YOUR email address that was published?
I'd be pissed off, yes, but I'd blame AT&T for making it public in the first place, not the person who visited the web page and downloaded it.
Re:Bad joke (Score:3, Insightful)
The difference is sending a GET request to some URL is something we are supposed to do even without asking. This is a link [ethnologue.com]. How are you supposed to know if you can legally click it? Do you check with the domain owner of every link to see if you have permission before you click it?
The difference between a GET request and a malformed packet/running code on other's servers is that the GET is a legal, safe action that everyone on the web does hundreds of times per day.