Pages: [1]   Go Down
Author Topic: AT&T website scraped to reveal iPad 3G owners' email addresses  (Read 388 times)
Global Moderator
Hero Member
Posts: 79433

« on: June 14, 2010, 05:20:56 pm »

AT&T website scraped to reveal iPad 3G owners' email addresses

Filed under: Security, iPad
Unfortunately for AT&T's security infrastructure -- and equally unfortunately for customers who bought and activated iPad 3G units on the company's network -- a freelance security research team has reportedly scraped two key tidbits of information from thousands of iPad registrations. As Gawker reports, the hackers exploited a script on AT&T's site by feeding it ICC-IDs (the GSM SIM card's identifier code) harvested from iPad user screenshots and interpolated to cover a wider range. The AT&T site obligingly gave back the email address associated with each of the ICC-IDs.

While there's no specific security risk associated with the pairing of ICC-ID and the email address of a subscriber -- other than the likelihood of spam or the possibility of phishing -- it's still a bad, bad thing to be giving away customer data out the front door. How many pairs of IDs and emails did the gang at Goatse Security (yes, that's their name) manage to collect before AT&T became aware of their activities? About 114 thousand.

One hundred and fourteen thousand.

Of course, since the script attack was shared around before AT&T closed the hole, the total number of scraped accounts could be much higher -- possibly up to the total number of iPad 3Gs activated with the carrier. There's no way to know at the moment.

What's particularly stinging about the data scraping is that many of the email addresses appear to be associated with high-profile government or industry iPad buyers. As the Washington Post reported this week, the Apple tablet is a fairly common accessory among White House staff; it looks like chief of staff Rahm Emanuel's email is among the ones discovered, and there are plenty of addresses ending in .mil as well.

As for individuals? Well, in this case we defer to the experts on Apple device security -- or lack thereof -- at Gizmodo: no, you probably don't have much to worry about. It may be a good idea to register devices with a secondary/free email address, just to cut down on spam, but otherwise there aren't really any preventative steps to be taken here.

We've emailed both Apple and AT&T for comment on this story. The statement from Mark Siegel, AT&T's executive director of media relations, is as follows:

"AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device.

This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.

The person or group who discovered this gap did not contact AT&T.

We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.

We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted."

Updated to correct number of affected accounts.TUAWAT&T website scraped to reveal iPad 3G owners' email addresses originally appeared on The Unofficial Apple Weblog (TUAW) on Wed, 09 Jun 2010 19:30:00 EST.  Please see our terms for use of feeds.Read | Permalink | Email this | Comments
Pages: [1]   Go Up
Jump to: