As AT&T's servers struggled to verify eligibility for existing customers attempting to preorder iPhone 4 on Tuesday, some customers reported that they saw a different user's account via the AT&T website. The exclusive wireless provider of the iPhone in the U.S. said it has received word of these incidents, and is looking into the issue.
"We have received reports of customers inadvertently seeing the wrong account information during the iPhone 4 purchasing process," a company spokesperson said. "We have been unable to replicate the issue, but the information displayed did not include call-detail records, social security numbers, or credit card information. In the meantime, we are looking into this matter."
The statement came in response to a report Tuesday from an anonymous source who alleged that an accidental information leak may have occurred during the initial rush of iPhone 4 preorders. An "AT&T insider" told Gizmodo that an allegedly faulty server software update could have caused security issues.
Some customers claimed that they saw a different customer's name and information upon logging in to the AT&T website.
The situation is the second in less than a week involving security for AT&T. Last week, the wireless carrier acknowledged that a security flaw on its website made it possible for hackers to query the company's database and uncover the e-mail addresses of customers who had registered to use its mobile broadband service.
At least 114,000 iPad 3G users' e-mail addresses were said to have been leaked, and the U.S. Federal Bureau of Investigation has announced that it has begun a probe into the security breach.
16 Comments
You go AT&T. Have an investigation. Find out who's ass to kick.
One of the error screen shots on gizmodo showed an NSAPI plug-in error message on the AT&T site. NSAPI is old s*&t (netscapes iplanet web server). That under load and a not perfectly configured load balancer that is properly sticking sessions to servers can result in session corruption where you get another users session and hence see their info. If I were a betting man, that's what I'd attribute it to.
Looks like Gizmodo is on a witch hunt.
One of the error screen shots on gizmodo showed an NSAPI plug-in error message on the AT&T site. NSAPI is old s*&t (netscapes iplanet web server). That under load and a not perfectly configured load balancer that is properly sticking sessions to servers can result in session corruption where you get another users session and hence see their info. If I were a betting man, that's what I'd attribute it to.
Gotta love legacy systems.
One of the error screen shots on gizmodo showed an NSAPI plug-in error message on the AT&T site. NSAPI is old s*&t (netscapes iplanet web server). That under load and a not perfectly configured load balancer that is properly sticking sessions to servers can result in session corruption where you get another users session and hence see their info. If I were a betting man, that's what I'd attribute it to.
You probably think that this information is obvious and that every system support tech knows it, but I would guess that no one at AT&T has any idea about this. You should call them up and offer your consulting services for some exhorbitant daily rate.