New AT&T privacy pratfall: now it's Apple iPhone 4 pre-order process

By Richi Jennings. June 16, 2010.

Good grief. Coming hard on the heels of AT&T's email address leak, the wireless carrier is embroiled in another privacy flap. This time, iPhone 4 upgraders can see other users' account details. In IT Blogwatch, bloggers roll their eyes and scream.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention

(T) (AAPL)

    After calling the pre-order process "a total disaster," Jesus Diaz brings more bad news:

It gets much worse: ... this iPhonecalypse may be related to "a major fraud update that went wrong." The bug is exposing AT&T users' private information. ... This is how it happens: A customer tries to log into their AT&T account to order a new iPhone 4 upgrade. ... The AT&T system would take them to another user account. This gives access to all kinds of private information.


Addresses, phone calls, and bills, along with the rest of private information, becomes exposed to random strangers. ... Even if you don't upgrade your private information could be exposed as other people try to upgrade. ... This morning, AT&T took down their account online system completely.

Dan Goodin reminds us that AT&T has form:

For the second time in less than a week ... AT&T was caught exposing private information. ... The privacy snafu follows a report last week that email addresses for more than 114,000 early adopters of Apple's iPad were exposed by ... AT&T's website.


Tuesday's breach came as numerous people reported being unable to complete iPhone 4 preorders. Many who tried to order online received a message reading “There was an error processing your request.” ... Many customers who tried to order in person were greeted by long lines.

Jason Mickoffers a medical analogy:

Security is a lot like combating illness -- sometimes you have a relatively minor issue that affects many people, other times you have a major issue that only affects a few. AT&T's iPad email leak and its ramifications were bad enough, but AT&T's latest breach appears to be even worse. ... This nightmarish scenario, appears only to be affecting a few of AT&T's subscribers, but for those impacted it could lead to some very serious problems, should the info fall into the hands of someone who might ... abuse it.


One can only shake there head in amazement at how AT&T let this happen after their iPad bungle last week.

David Sarno does the professional journalist thing:

AT&T declined to offer any hint as to the origin of the problems. "We have no comment," an AT&T spokesperson wrote.


The succinct reply came in answer to a query about the nature and cause of the problems, as well as when the company expected them to be resolved. ... Apple has not returned a request for comment.

 Leanna Lofte lays low:

This is a huge security issue. ... It may explain why there are so many server issues today. ... Perhaps not. We’ll be interested to hear what AT&T has to say.


AT&T is not doing a great job of building customer’s trust, especially when something like this happens a week after they were hacked, compromising the email addresses of iPad owners.

The anonymous Praetorian Prefect bloggers blog:

We’ve seen this behavior before, a lot. When you stress test a web site, its not uncommon to see functions that return and read user sessions get garbled, and web sites start to return pages for the wrong user session. ... Some sort of persistence mechanism is returned to maintain the session (usually a session cookie). ... Every “logged in page” reads this session identifier to determine whether the user is logged in and uses it to return the right information. Further complexity is usually introduced into large web sites, where some sort of load balancing is taking place.


When you overload the capacity of programs that read, manage, and create sessions, bad stuff happens like sessions getting crossed. ... The AT&T site was probably under a severe and unusually high server load today, [so] the site went haywire. ... How do you prevent this from happening? Add occasional and event driven stress testing to your quality assurance processes. ... At the very least you ... not be surprised when the Apple fanboys come calling for Steve’s latest masterpiece.

But Ryan Tate has a simpler suggestion:

AT&T laid off upwards of 200+ people from its chief security office earlier this month, and needs to replace that expertise.


This is a much easier problem for Apple to solve than AT&T. ... Apple just needs to switch to another cellular partner.

And Finally...

If It Was My Home: Visualizing the BP Oil Spill

Don't miss out on IT Blogwatch:

Richi Jennings, your humble blogwatcher
  Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and security. A cross-functional IT geek since 1985, you can follow him as @richi on Twitter, pretend to be richij's friend on Facebook, or just use good old email:

You can also read Richi's full profile and disclosure of his industry affiliations.


AT&T and iPhone: What a mess

Jonny Evans:
AT&T-botched iPhone 4 launch -- an Apple nightmare
IT News Podcast:
AT&T, Apple struggle to cope with iPhone 4 pre-orders
Amir Lev:
AT&T iPad privacy breach: Goatse email "theft" thoughts
IT Blogwatch:
New AT&T privacy pratfall: now it's Apple iPhone 4 pre-order process

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon