The Tech Herald

AT&T loses 114,000 e-mail addresses via scripting error

by Steve Ragan - Jun 10 2010, 05:54

AT&T loses 114,000 e-mail addresses via scripting error. Image: KeyStone Press/ZUMAPress.

Gaping Holes Exposed. That’s the slogan for Goatse Security, the collective group of researchers who after working some magic on a script running on AT&T’s website, managed to walk off with 114,000 iPad 3G subscriber email addresses.

The script, which allowed Goatse Security [Link] to access the ICC-IDs and email addresses, was available to anyone on the Internet. If it was given an integrated circuit card identifier (ICC-ID), the script would return the email address associated with it.

Goatse Security, who used publically available ICC-IDs found in places such as Flickr or shared by iPad owners who allow it in the device’s settings menu, were then able to compile a list of email addresses. Once they were done, AT&T was notified and then Goatse Security went directly to Gawker Media. Gawker, who broke the story, contacted AT&T and the script was fixed. [Original article is here.]

Goatse Security told Gawker that the PHP script used to automate the email harvesting was shared with others, it is unknown if anyone else accessed the site before AT&T had a chance to fix it. Given that the iPad 3G has been available for sometime, it is possible Goatse Security were not the only ones to discover the script on AT&T’s site, which required only an iPad USER-AGENT in the HTTP request.

Email addresses at Google, Amazon, AOL, Microsft, JP Morgan Chase, Morgan Stanley, and Goldman Sachs were exposed, as well as several addresses at NASA and the U.S. Army. Other notable addresses include those linked with White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, Ann Moore, the CEO of Time Inc., ABC News’ Diane Sawyer, Chase Carey, the President and COO of News Corp., and Janet Robinson, the CEO of the New York Times

Gawker said that the email exposure will hurt AT&T’s image, which still takes a beating over customer service and coverage issues for iPhone and iPad subscribers.

AT&T sent The Tech Herald a statement that said they were contacted by a business customer on Monday, and not Goatse Security. This is in contrast to what Gawker reported, as they said Goatse Security did report the issue to AT&T prior to the Web Application flaw being fixed.

The statement went on to say, “The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.”

“We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”

While Gawker clearly had the lead on the story, word of Goatse Security’s work spread like wildfire, and there were some pointing fingers at Apple. Apple has not made any public statements. It is important to remember that they didn’t develop the Web application that failed, so it is likely they will remain silent on the issue.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

300 Miles From One Gallon And No, That’s Not A Typo

Imagine you’re in a bar and a guy walks up and asks if you’d be interested in buying a car t...

2015 Nissan Pathfinder Prices and Specs

Nissan has announced pricing and specs for the 2015 Nissan Pathfinder. The SUV, which is on ...

Miami ePrix Circuit Revealed

The FIA Formula E Championship has revealed the layout for the Miami ePrix circuit. Formula ...

Two DeLoreans And A Replica Jaguar C Type On Scottish Classic Car Run

The Kirkintilloch & District Classic Vehicle Club’s annual run to Glencoe in Scotland is...

NBA All-Star LeBron James Teams with Kia

NBA All-Star LeBron James has signed a deal with Kia to be the company’s first luxury ambass...