AT&T Security Hole Let Hackers Steal Personal Info From Famous iPad Users

By Andrew Moseman | June 10, 2010 10:22 am

ipad-220The hack that stole the email addresses of iPad users wasn’t even a hack in the truest sense, security experts are saying today. The Goatse Security team that pulled off the feat simply overpowered bad software.

The story broke yesterday that a leak in AT&T’s security had given away the email addresses of more than 100,000 people, including some of the famous and influential who were first to adopt the tablet—Diane Sawyer, New York Mayor Mike Bloomberg, and even White House Chief of Staff Rahm Emanuel.

The specific information exposed in the breach included subscribers’ email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T’s network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber [Gawker].

The Praetorian Security Group, which got a copy of the script used to grab e-mail addresses from AT&T’s servers, says that it didn’t take a sophisticated hack to steal those email address, just a brute force attack:

“There’s no hack, no infiltration, and no breach, just a really poorly-designed Web application that returns e-mail address when ICC-ID is passed to it,” Praetorian said in a late Wednesday entry on its security blog [Computer World].

Happily for the aggrieved iPad users, the stolen info included only email addresses and not credit card or social security numbers. AT&T says it has fixed the issue and will notify anyone whose address was stolen. Interestingly, though, Goatse didn’t exactly play by the rules of white hat hacking here.

The true motive behind Goatse Security exposing this information is unknown. Had the group followed generally accepted vulnerability disclosure ethics, it would have contacted AT&T directly to notify them of the flaw, and allowed AT&T a reasonable amount of time to respond to the issue before announcing the discovery. And, of course, an ethical disclosure would not include exposing the compromised data. Perhaps Goatse Security simply wanted to embarrass AT&T or Apple [PC World].

Related Content:
Discoblog: DISCOVER’s iPad Arrived Early… And It’s AWESOME
80beats: Apple’ iPad Tablet: It’s Here, It’s Cool, and It’s Slightly Cheaper Than Expected
80beats: iPad Arrives: Some Worship It, Some Critique It, HP Tried To Kill It
80beats: Report: Chinese Hackers Stole Indian Missile Secrets & The Dalai Lama’s Email

Image: Apple

CATEGORIZED UNDER: Technology
MORE ABOUT: Apple, computers, hackers, iPad
  • Cathy

    With a name like Goatse, embarrassment is probably exactly what they had in mind. “Goatse” refers to one of the most disturbing, horrifying pornographic images the web has known, put up not too long after the invention of the WWW with international addresses. (Don’t Google it. Just don’t. You don’t want to know.)

  • Katharine

    Most of us know what Goatse is. It’s not even that disturbing, just a picture of a dude showing everyone his widespread anus.

    Remind me never to use Apple.

NEW ON DISCOVER
OPEN
CITIZEN SCIENCE
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

80beats

80beats is DISCOVER's news aggregator, weaving together the choicest tidbits from the best articles covering the day's most compelling topics.
ADVERTISEMENT

See More

ADVERTISEMENT
Collapse bottom bar
+

Login to your Account

X
E-mail address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it e-mailed to you.

Not Registered Yet?

Register now for FREE. Registration only takes a few minutes to complete. Register now »