Saturday, February 25, 2012

AT&T provides free user information yet again

(Update: AT&T has fixed this by the next day, as described at the bottom of this post.)
In 2010, a few grey hat hackers (like weev) were arrested for downloading information about new iPad users that ATT had provided freely on its website. All the hackers did was download what ATT freely published. But the reason the FBI arrested and prosecuted the hackers was simply because while ATT published its subscriber information to the entire world, they didn't intend for people to download the entire database. They intended instead for people to just see their own data.

Reddit is reporting that ATT is doing something like this again. This time, they allow anybody to lookup phone-numbers of their subscribers using only the subscribers e-mail address. Simply go to https://www.att.com/olam/enterEmailForgotId.myworld, enter in somebody's e-mail address, and if they are an ATT subscriber, you'll get their phone number. The first page looks like this:


When you hit "Next", you'll get a page that looks like this:


The purpose is obviously to help those who have forgotten some piece of their information. They clearly don't intended for anybody to abuse this feature. But they do nothing to stop abuse.

But it's so easy to abuse. As a hacker, it's trivially easy to take a command-line browser like curl to grab webpages, and to use a pattern search tool like grep to extract useful information. I've written a bash script 'getatt.sh' that does this. (This is just a modified version of the script from the Reddit comments):

echo $1,`curl -d "customerEmailAddress=$1" "https://www.att.com/olam/submitSLIDEmailForgotIdSlid.myworld" -silent| grep -Po '(?<=provided \()\d*'`


When you run getatt.sh john.smith@example.com, it will output a line of text that looks like:

john.smith@example.com,6782345678

To make use of this, hackers would have to know your e-mail address. Or, they can find e-mail addresses in other places. For example, a million accounts of the YouPorn porn site were hacked recently, revealing people's e-mail addresses. A hacker could easily write a script that extracts each of those e-mail addresses and run it through the script above. It'll be slow, it's making a million webqueries against a slow site after all, but a hacker could start the script before going to bed, and wake up with a database of phone numbers of people who visit YouPorn. (The above script gives you a taste of the hacker mentality, but they'd do something better/faster).

Of course, if they ran such a script, ATT would complain to the FBI, which would then break down their door and haul away their computers. This is a sad thing: the law shouldn't protect cases like this were they freely publish information, but then arrest you if you download it.


Update: As I blogged about on the previous ATT incident, the flaw here isn't one of the OWASP Top 10 website flaws. The solution isn't to fix how they do this, but to stop doing this. The flaw is #0 on the OWASP list: sheer stupidity.

Update: ATT has fixed this. It now responds by emailing your phone number, and the page below telling you this:

4 comments:

Anonymous said...

The first line should say 2011

Anonymous said...

Looks like this was fixed, or at least doesn't apply in all cases.

I entered my email address and got a page that simply said, "We have sent your User ID to the email address you have provided. You should receive this email in less than 5 minutes."

illwill said...
This comment has been removed by the author.
illwill said...

patched about an hour ago :/