AT&T Security Hole Revealed Email Addresses Of iPad Owners
from the whoops dept
Apparently, a security vulnerability in the way AT&T set up its network allowed hackers to capture the email addresses of 114,000 iPad owners. The breach was pretty basic stuff: if you fed an iPad ID number to a script that was publicly available on AT&T's website, it returned to you the email address associated with that ID. The hackers quickly set to testing out tons of likely IDs, and got back all those email addresses, including those of top execs at a bunch of big media companies, such as the CEO of the NY Times, CEO of Time, Inc., the President of News Corp, the CEO of Dow Jones and New York City mayor Bloomberg. Oh yeah, also a bunch of government emails: "Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others." AT&T issued the expected "oops" statement soon after this was exposed.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: email addresses, ipad, security hole
Companies: at&t
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
Am I missing something here... ? (cough troll)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
The group that exploited the security hole basically gave them the story directly. Why them and not, say, the NYT? Maybe the more "instant" exposure. Maybe the tech focus. Or maybe, given Gawker Media's recent history, the biggest paycheck for the information.
The writeup is suitably histrionic. Some email addresses got harvested, but repeatedly the article states that information or accounts were "compromised." Yeah, and I walked down Main Street, wrote down the numbers on the houses, and "compromised" those houses too. My email address is on my Website, if you care to write me. I guess my email account is now "compromised" also.
Here's another big secret that could lead to a major breach: many companies use the form "first initial-last name@example.com" as the format of their email addresses. Some even use First.M.Last@example.com!
OH NOES I HAVE COMPROMISED THE ACCOUNTS OF MILLIONS!
[ link to this | view in chronology ]
Re: Re:
But experts said that ICC-ID numbers could, in the right hands, be used to get other information, like an iPad’s location.
The breach “should be worrying people a lot,” said Nick DePetrillo, an independent security consultant.
Michael Kleeman, a communications network expert at the University of California, San Diego, said that AT&T should never have stored the information on a publicly accessible Web site. But he added that the damage was likely to be limited.
“You could in theory find out where the device is,” Mr. Kleeman said. “But to do that, you would have to gain access to very secure databases that are not generally connected to the public Internet.”
[ link to this | view in chronology ]
Re: Re: Re:
An independent security consultant tells everyone they should be worried - a lot.
Its all fun and games until someone puts an eye out.
[ link to this | view in chronology ]
Re: Re:
Exactly right... except for the fact that the email addresses that Apple collected were not intended for public distribution. If you want to give out your email address to the world then that's your decision. No one else should make that decision for you.
But since you obviously don't mind people knowing your private contact information, may I have your cell number too? Just leave it here in this thread and I'll write it down later. Thanks.
[ link to this | view in chronology ]
Re: Re: Re:
The only breach of much significance I see is the hackers have managed to connect the Id of a bunch of iPads to the actual users. Assuming you can capture the ID of the iPad when it connects to a network or to the internet, this could be a bit of an issue that makes it reasonably possible to connect some activity to a person.
The other news item here is that AT&T was completely incompetent in making this possible. Oh wait, their incompetency is not much of a surprise.
[ link to this | view in chronology ]
Re: Re: Re: Re:
[ link to this | view in chronology ]
hollywood is now in state of RED ALERT
the information gleened will tell a tale of [how many exploited] morons
[ link to this | view in chronology ]
guess not having me the user choose better security is well haha on you apple
[ link to this | view in chronology ]
The List
[ link to this | view in chronology ]
unlock at&t
[ link to this | view in chronology ]