AT&T loses 114,000 e-mail addresses via scripting error. Image: KeyStone Press/ZUMAPress.
Gaping Holes Exposed. That’s the slogan for Goatse Security, the collective group of researchers who after working some magic on a script running on AT&T’s website, managed to walk off with 114,000 iPad 3G subscriber email addresses.
The script, which allowed Goatse Security [Link] to access the ICC-IDs and email addresses, was available to anyone on the Internet. If it was given an integrated circuit card identifier (ICC-ID), the script would return the email address associated with it.
Goatse Security, who used publically available ICC-IDs found in places such as Flickr or shared by iPad owners who allow it in the device’s settings menu, were then able to compile a list of email addresses. Once they were done, AT&T was notified and then Goatse Security went directly to Gawker Media. Gawker, who broke the story, contacted AT&T and the script was fixed. [Original article is here.]
Goatse Security told Gawker that the PHP script used to automate the email harvesting was shared with others, it is unknown if anyone else accessed the site before AT&T had a chance to fix it. Given that the iPad 3G has been available for sometime, it is possible Goatse Security were not the only ones to discover the script on AT&T’s site, which required only an iPad USER-AGENT in the HTTP request.
Email addresses at Google, Amazon, AOL, Microsft, JP Morgan Chase, Morgan Stanley, and Goldman Sachs were exposed, as well as several addresses at NASA and the U.S. Army. Other notable addresses include those linked with White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, Ann Moore, the CEO of Time Inc., ABC News’ Diane Sawyer, Chase Carey, the President and COO of News Corp., and Janet Robinson, the CEO of the New York Times
Gawker said that the email exposure will hurt AT&T’s image, which still takes a beating over customer service and coverage issues for iPhone and iPad subscribers.
AT&T sent The Tech Herald a statement that said they were contacted by a business customer on Monday, and not Goatse Security. This is in contrast to what Gawker reported, as they said Goatse Security did report the issue to AT&T prior to the Web Application flaw being fixed.
The statement went on to say, “The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.”
“We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.”
While Gawker clearly had the lead on the story, word of Goatse Security’s work spread like wildfire, and there were some pointing fingers at Apple. Apple has not made any public statements. It is important to remember that they didn’t develop the Web application that failed, so it is likely they will remain silent on the issue.