There has been a lot of discussion regarding the over reach of the Computer Fraud and Abuse Act (aka CFAA) and prosecutorial misuse. The discussion only intensified after the suicide of Aaron Schwartz. Broadly, the CFAA criminalizes access to computer services that exceeds authorization. The question is what exceeds authorization is especially thorny in the case of a publicly accessible website.
Consider the current case against Andrew “weev” Auernheimer. He is being prosecuted for unauthorized access to 100k+ emails of AT&T customers who owned Ipads. Seems pretty bad doesn’t it…..but lets consider what he did from a technical standpoint.
It turns out AT&T was trying to make it easy for Ipad customers to log into their AT&T account. When a customer would access AT&T’s website, the Ipad had be preprogrammed to call a specific webpage. I don’t know the exact URL but it looked something like this
That number at the end was the serial number of the Ipad. AT&T then used this number to pull the person’s email address from their records and pre-populate the login page so the customer didn’t have to enter their email every time they wanted to log in.
What Auernheimer did was go to the URL and alter the serial number sequentially upwards, thus revealing thousands of customer’s emails. This is a common problem and is easily fixed by what is referred to as page level security. In other words, you should only display information on a page if the user is authorized to access it. I’ve found this problem in many website, including my law school which displayed the roster of every class in the school and a popular retailer which allowed me to view every order placed on the website.
While AT&T certainly didn’t want Auernheimer to get that information, they put it out there for the world to see and ignored basic security practices. Auernheimer simply pointed this out as I and others have done so in the past.
It seems almost silly that if I set my computer to access a web page by typing a url, essentially instructing ATT’s server to send me some information (http://www.att.com/home.php?ipad=00033333) and get information PROVIDED by AT&T’s web server I’m now a Federal felon for unauthorized access.
If you, dear blog reader, agree with me so far, let’s make the question a bit more complicated. Suppose instead I enter the following in my url
http://www.att.com/home.php?ipad=’; select * from dbo.customers;
and now the webserver returns the entire database of customer information. This technique is called a sql injection attack and provides me a way of injecting a sql statement into their code. Here I have similarly sent instructions to AT&T’s server but this time I’ve gotten information they never intended to share. But wait, the never intended to share that one customer’s email with ME in the previous URL.
The fact is, without exposure by people such as Auernheimer, ATT and other companies lack incentive to secure their software. Then the only people using these attacks will be the criminals who use them for nefarious purposes. This shouldn’t be illegal under the CFAA. If anything, AT&T should be liable for failure to exhibit best security practices.