In this week's Security Levity, I want to talk about the recent AT&T Apple iPad privacy breach, as discovered by Goatse Security. I also want to talk more generally about how companies often leak their customers' email addresses. In case you've not heard the story, Escher Auernheimer and his team of security researchers discovered that, by manipulating URLs on AT&T's website, they could collect the email addresses of iPad users who had signed up for 3G service with the carrier. As my CW blogging colleague Mitch Wagner commented:
Goatse Security got about 114,000 e-mail addresses of people including White House Chief of Staff Rahm Emanuel and New York Mayor Michael Bloomberg. ... The group found that the page would return an e-mail address ... if they entered the correct serial number for that iPad's SIM card. The group wrote code that would randomly generate serial numbers and query the Web site.
(If you're wondering about the etymology of the security researchers' company name, let's just say it's very much NSFW, so be careful how you Google.) AT&T closed the loophole a few hours after the company was notified of the problem. But now, it's on the warpath, claiming that Goatse is a group of "computer hackers" who "maliciously exploited" legitimate website functionality.
AT&T and iPhone:
What a mess
Jonny Evans:
AT&T-botched iPhone 4 launch -- an Apple nightmare
IT News Podcast:
AT&T, Apple struggle to cope with iPhone 4 pre-orders
Amir Lev:
AT&T iPad privacy breach: Goatse email "theft" thoughts
IT Blogwatch:
New AT&T privacy pratfall: now it's Apple iPhone 4 pre-order process
Two things spring to my mind about this:
1. How stupid of AT&T. Stupid to offer up customers' private information without any protection against automatic scraping. Stupid to then put the blame on the discoverers of the security bug, rather than confess to its own incompetence.
Data leakage via manipulated URLs is a well-understood security risk; any web developer who allowed this to happen in 2010 should hang his or her head in shame. (And don't get me started on yesterday's privacy snafu.)
Sure, Goatse was out for publicity, and they should have made a more responsible disclosure. The accepted way to disclose security problems is in private, to the organization responsible. Not to a media outlet, especially not to an outlet that prides itself on its 'edginess' (in this case, Gawker Media). But it does not warrant these sorts of defensive, ignorant public statements from AT&T. It's AT&T who screwed up here, not the researchers. 2. What's the big deal? It's only some email addresses. There are those that worry it's a big problem that "hackers" can collect email addresses of known iPad users with AT&T accounts. They are concerned that phishers may misuse those email addresses and be more credible in their attempts -- perhaps pretending to be AT&T or Apple and getting access to users' accounts with those companies.
Yet every day I see phishing attempts being sent in huge bulk spam-runs, using an untargeted, scatter-gun approach. I have to wonder what's so special about a list that simply contains email addresses?
Without more information about the potential victims, phishers would have limited scope; it would be hard for them to do more damage than they could with their usual techniques. It's not as if spammers are lacking in email sending resources and need to focus their efforts on high value targets!
But there's a more general problem here: Companies leaking email addresses. Spammers love to acquire new victim email addresses. Especially valuable to some spammers are targeted addresses -- in this case, iPad users. Some spammers would pay good money to get hold of this list, so they can hawk advertisements for iPad accessories or paid applications (via a kickback affiliate link).
Leaking email addresses from companies is more common than you might think. It can happen when companies go bankrupt, malicious employees steal customer lists, malware scrapes addresses from lists accessible to an infected PC, and many more reasons.
As email users, we need to be stoic about it happening: naturally, the best defense is an educated user-base, supported by good spam and phishing filters!
When he's not calming fears fanned by the echo-chamber, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider. MORE...