alt Hacker News See the AT&T/iPad data leak, where AT&T were leaking private information on the internet with no security checks at all. Someone found it, told the press, who in turn told AT&T, but the FBI still investigated it as a "crime", raided their home, charged them with "conspiracy to access a computer without authorization." AT&T go no punishment at all.
Should they have had better security? Yes. Was the vulnerability extremely basic? Yes. Doesn't change much, a vulnerability was used to dump a bunch of private data.
Replies
> I think you are missing some nuance here. They found a vulnerability where they could just increment an "id" and get access to another user's information.
That's not nuance; the information was publically available on the internet without any security. Even search engines had indexed it before it was patched.
> They then went ahead and scraped as much as they could.
They told the press instead of releasing it.
> AT&T did not leak the information, Andrew did!
So AT&T dumping it all onto the open internet without any security isn't culpable, but the person who let the press know that their information was available to everyone is. That's quite an interesting take.
I'm struggling to see the nuance... You just repeated back what I already said, but added that you dislike the person personally, which is absolutely fine, but we're talking about miscarriages of justice not running a popularity contest. If you feel like they committed other crimes (which they likely did per Wikipedia), that is unrelated to THIS supposed crime.
> Was the vulnerability extremely basic? Yes.
There was no vulnerability. You just needed to request a record from a public web-server, which the server happily provided with no extra steps.
Let me ask this: When you request e.g. google.com, and they return a HTTP response, why is that not a "vulnerability?" Because we'd both agree it objectively is not. So then, why, when AT&T provides a URL with information they're meant to keep private but available to the public, and you then request it, that is suddenly a "vulnerability?"
Here is the actual URL you needed to call:
https://dcp2.att.com/OEPNDClient/openPage?IMEI=0&ICCID=<consecutive id>
You just needed to take any iPad's ICC ID and +1 for the next customer's record. So what is the "vulnerability?" Being able to count consecutively?
"The guy who did it sucked" is generally not a good justification.
It's an easy trap to fall into (we all want consequences for shitty people), but it's also a blurry line to hold.
"First they came…"
Exactly. If you find an unlocked warehouse, even if you are supposed to pick up something of yours, and instead of directly complaining you also ransack everything, you’re going to catch some heat.