iPhone 4 Pre-Order System Exposes Customer Data

Keep on Guard!

The big talk over the past weekend was about this, the AT&T system for recording pre-sales records for the new Apple iPad exposed account information. I didn’t think it was a big deal until they did something similar again today with the iPhone 4…the second time in one week – that must be some kind of record?

It seems that people logging in where often greeted by someone else’s details, most likely the system got overloaded and that led to some funky linking of unsychronised database servers. Despite all the problems however AT&T sold out on launch-day! The busiest day in AT&T history so they claim.

Preordering for Apple’s iPhone 4 got off to a rocky start on Tuesday, with long lines, system outages, and an AT&T server that exposed sensitive account information for existing users of the must-have mobile device.

For the second time in less than a week, Gizmodo reported, AT&T was caught exposing private information belonging to Apple customers. The breach came when existing iPhone owners placed advanced orders for the newest iPhone, which is scheduled to go on sale on June 24. After entering their account credentials, certain customers were logged in to accounts belonging to other users, potentially exposing the names, addresses, and phone logs of an unknown number of people, the website said.

The privacy snafu follows a report last week that email addresses for more than 114,000 early adopters of Apple’s iPad were exposed by an overly generous application on AT&T’s website. As a result, email addresses for some of the rich and powerful — including New York Times Co. CEO Janet Robinson, ABC Newswoman Diane Sawyer, film mogul Harvey Weinstein, and New York Mayor Michael Bloomberg — were shared with world+dog.

This story was published today by Gizmodo who has been sharing e-mails their readers have sent in showing the wrong data after logging in.

By the looks of things it’s not slowing down orders or stopping anyone from putting their details in the system, so I hope AT&T does something to rectify it soon.

AT&T representatives didn’t respond to an email seeking comment. Gizmodo shared emails sent by five readers who all recounted the same error.

“I logged in to Att.com in the pre-order frenzy,” a reader named Ethan wrote in one. “I was immediately greeted by someone elses personal information.” Gizmodo included multiple screen shots the publication said belonged to people other than the person who logged in.

Tuesday’s breach came as numerous people reported being unable to complete iPhone 4 preorders. Many who tried to order online received a message reading “There was an error processing your request. Please try again later.” Many customers who tried to order in person were greeted by long lines.

Despite the difficulty, AT&T sold out of launch-day preorders several hours later, with AT&T telling Engadget it “was the busiest online sales day in AT&T history.”

The paranoid amongst us may indeed think there is some mass scale fraud going on and perhaps someone has compromised the AT&T customer records system and is billing other people for iPhones they are taking delivery of.

Well if that’s happening I’m sure the news will come out soon enough unless AT&T manages to sweep it under the carpet.

Either way, if you’re an AT&T customer..I’d be careful if I were you.

Source: The Register

Posted in: Apple, Exploits/Vulnerabilities, Privacy

, , , ,

Latest Posts:

GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.
QualysGuard - Vulnerability Management Tool QualysGuard – Vulnerability Management Tool
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.
Memcached DDoS Attacks Will Be BIG In 2018 Memcached DDoS Attacks Will Be BIG In 2018
So after the massive DDoS attack trend in 2016 it seems like 2018 is going to the year of the Memcached DDoS amplification attack with so many insecure Memcached servers available on the public Internet.
libsodium - Easy-to-use Software Library For Encryption libsodium – Easy-to-use Software Library For Encryption
Sodium is a new, easy-to-use software library for encryption, decryption, signatures, password hashing and more. It is a portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API.
XSStrike - Advanced XSS Fuzzer & Exploitation Suite XSStrike – Advanced XSS Fuzzer & Exploitation Suite
XSStrike is an advanced XSS detection suite, which contains a powerful XSS fuzzer and provides zero false positive results using fuzzy matching. XSStrike is the first XSS scanner to generate its own payloads.

One Response to iPhone 4 Pre-Order System Exposes Customer Data

  1. CBRP1R8 June 16, 2010 at 10:24 pm #

    This is quoted exerts out of another news story I found since you mentioned the ATT hacker guy, here’s what happened to him this week. LOLOL

    Ipad “hacker” arrested on drugs charges
    The dangers of angering Apple and AT&T

    The man who made the grave mistake of proving that the AT&T and Apple alliance had exposed user’s personal data to the world has been mysteriously arrested on drugs charges.

    FBI people gained a warrant to search the house of Andrew Auernheimer, 24, who alerted the world to the iPad flaw.

    the Feds searching his home found drugs and arrested him. He now faces four felony charges of possession of a controlled substance and one misdemeanour possession charge, Foster said. The drugs included cocaine, ecstasy, LSD, and schedule 2 and 3 pharmaceuticals.

    At the time we thought that AT&T would be protecting customers from having their personal data being used. Now it seems that it meant it would be reporting the case to the FBI. No one knows this of course, the FBI might have decided to do a search for drugs at Auernheimer’s place and the fact that he angered two big IT companies a week before might have just been a coincidence.

    Yeah coincidence my @$$!