AT&T Leaks Emails Addresses of 114,000 iPad Users

Hugh Pickens writes "Daily Tech reports that in what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed. Apparently AT&T left a script on its public website, which when handed an ICC-ID would respond back with the email address of the subscriber. This apparently was intended for an AJAX-style response inside AT&T's web apps. Gawker reports that it's possible that confidential information about every iPad 3G owner in the US has been exposed. 'This is going to hurt the telecommunications company's already poor image with iPhone and iPad customers, and complicate its very profitable relationship with Apple,' writes Ryan Tate, adding that the leak is likely to unnerve customers thinking of buying iPads that connect to AT&T's cellular network. 'Although the security vulnerability was confined to AT&T servers, Apple bears responsibility for ensuring the privacy of its users, who must provide the company with their email addresses to activate their iPads.' In a statement, AT&T says that the issue was escalated to the highest levels of the company and that it has essentially turned off the feature that provided the email addresses. 'We are continuing to investigate and will inform all customers whose email addresses and ICC IDS may have been obtained,' says AT&T. 'We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.'"

Re:Bad move, Apple

[Shadow Wrought]

I sometimes wonder why Apple hasn't moved away from it's exclusive relationship with AT&T. I do wonder how Apple would spin if it were opened to other carriers and they all experienced the drop call issue?

Re:Bad joke

[Peach Rings]

It's going to become news when this hits the courts:

in what appears to be a legal fashion by querying a public interface

Since when [slashdot.org] does the interface being public [slashdot.org] have anything to do with whether accessing it is legal? The law makes statements about authorized and unauthorized access, not technically possible and technically impossible access. In all hacking crimes the system is happily serving up content exactly as built by the designers, but it's still a crime. In many cases, the system is even working as intended (no buffer overflows and the like) but if unauthorized access is obtained, it's still a crime.

Does anyone else remember this case [zdnet.co.uk] that was on slashdot some years ago? A computer security consultant was convicted in the UK for typing "/../../" after a URL and hitting enter. Obviously this destroyed his career.

This is the text of the law that convicted him.

a person is guilty of an offence if: he causes a computer to perform any function with intent to secure access to any program or data held in any computer and the access he intends to secure is unauthorised and he knows at the time when he causes the computer to perform the function that that is the case

Re:Bad joke

[icebraining]

So when you click on a link, are you sure the website allows you to access it?

Nobody "broke in" anything. They requested the service, the server gave it to them. I don't see any illegality here.

Re:Bad joke

[Hatta]

we start going on a grey area and the 'net turns into a unsafe place where you can be illegal just by clicking a link.

We're already there [cnet.com].