The Tech Herald

AT&T loses 114,000 e-mail addresses via scripting error

by Steve Ragan - Jun 10 2010, 05:54

AT&T loses 114,000 e-mail addresses via scripting error. Image: KeyStone Press/ZUMAPress.

Gaping Holes Exposed. Thats the slogan for Goatse Security, the collective group of researchers who after working some magic on a script running on AT&Ts website, managed to walk off with 114,000 iPad 3G subscriber email addresses.

The script, which allowed Goatse Security [Link] to access the ICC-IDs and email addresses, was available to anyone on the Internet. If it was given an integrated circuit card identifier (ICC-ID), the script would return the email address associated with it.

Goatse Security, who used publically available ICC-IDs found in places such as Flickr or shared by iPad owners who allow it in the devices settings menu, were then able to compile a list of email addresses. Once they were done, AT&T was notified and then Goatse Security went directly to Gawker Media. Gawker, who broke the story, contacted AT&T and the script was fixed. [Original article is here.]

Goatse Security told Gawker that the PHP script used to automate the email harvesting was shared with others, it is unknown if anyone else accessed the site before AT&T had a chance to fix it. Given that the iPad 3G has been available for sometime, it is possible Goatse Security were not the only ones to discover the script on AT&Ts site, which required only an iPad USER-AGENT in the HTTP request.

Email addresses at Google, Amazon, AOL, Microsft, JP Morgan Chase, Morgan Stanley, and Goldman Sachs were exposed, as well as several addresses at NASA and the U.S. Army. Other notable addresses include those linked with White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, Ann Moore, the CEO of Time Inc., ABC News Diane Sawyer, Chase Carey, the President and COO of News Corp., and Janet Robinson, the CEO of the New York Times

Gawker said that the email exposure will hurt AT&Ts image, which still takes a beating over customer service and coverage issues for iPhone and iPad subscribers.

AT&T sent The Tech Herald a statement that said they were contacted by a business customer on Monday, and not Goatse Security. This is in contrast to what Gawker reported, as they said Goatse Security did report the issue to AT&T prior to the Web Application flaw being fixed.

The statement went on to say, The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained. We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.

While Gawker clearly had the lead on the story, word of Goatse Securitys work spread like wildfire, and there were some pointing fingers at Apple. Apple has not made any public statements. It is important to remember that they didnt develop the Web application that failed, so it is likely they will remain silent on the issue.

Around the Web

Comment on this Story

comments powered by Disqus


Miami Formula E Tickets On Sale Now

Tickets for the first US race in the Formula E calendar — Miami — are on sale now.The ePrix&...

Our Most Popular Car Games Of 2014

It’s that time of year when we take stock of where we’re at and button down the hatches over...

Monster Truck World Speed Record Broken By The Raminator

The monster truck speed record has been broken by road-going goliath The Raminator.The truck...

Car Games Update – December 2014

Our car games section is constantly growing and becoming more popular by the day. Over the p...

The Mind-blowing 2015 BMW 6 Series (PICTURES)

Here’s a great selection of pictures of the new 2015 BMW 6 Series to salivate over. The new ...