Sign in with
Sign up | Sign in

Massive AT&T Breach Exposes A-Listers' iPad Data

By - Source: Tom's Hardware US | B 25 comments

A huge AT&T security breach has put more than 100,000 iPad owners at risk.

Gawker's Ryan Tate writes that based on information he received from a Web security firm, 114,000 people, some of them big name executives and government officials, are affected by an AT&T security breach.

Tate reports that a group called Goatse Security obtained subscriber data through a script on AT&T's website. All that was required was the iPad's ICC-ID (integrated circuit card identifier), the unique number attached to each subscriber's SIM card:

"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC-IDs by looking at known iPad 3G ICC-IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.

To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites."

Though the firm warned AT&T of the vulnerability, Goatse wrote a PHP script to harvest the data and this was shared with third-parties before AT&T closed the security hole.  A member told Gawker it's likely many accounts beyond the 114,000 have been compromised because it isn't known whose hands the exploit fell into and what they did with the names they obtained.

The breach is said to have exposed "the most exclusive email list on the planet" as early adopters of the Apple tablet include A-listers in finance, politics and media. Among the 114,000 are NYT CEO Janet Robinson, Harvey Weinstein, Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and Diane Sawyer of ABC News.

Read the full story on Gawker.

Display 25 Comments.
This thread is closed for comments
Top Comments
  • 36 Hide
    Anonymous , June 9, 2010 11:00 PM
    goatse security? sounds like they just need to patch that 'security hole', but that's a stretch. lol i win.
  • 13 Hide
    killerclick , June 9, 2010 10:55 PM
    Wow, imagine reading Rahmbo's mail
  • 13 Hide
    Pyroflea , June 9, 2010 11:10 PM
    Omg, worst name for a group ever.

    Think this will have any effect on iProduct sales? Think anybody will even realize what happened? I vote no.
Other Comments
  • 13 Hide
    killerclick , June 9, 2010 10:55 PM
    Wow, imagine reading Rahmbo's mail
  • 3 Hide
    flea420 , June 9, 2010 10:56 PM
    lol
  • 36 Hide
    Anonymous , June 9, 2010 11:00 PM
    goatse security? sounds like they just need to patch that 'security hole', but that's a stretch. lol i win.
  • 10 Hide
    Anonymous , June 9, 2010 11:03 PM
    lulz goatse
  • 7 Hide
    Ragnar-Kon , June 9, 2010 11:03 PM
    Yet another AT&T fail.

    ...although I'm gonna bet that Goatse wished they hadn't shared that information to 3rd party sites. AT&T will probably drop the legal hammer of doom soon.
  • 1 Hide
    Maxor127 , June 9, 2010 11:09 PM
    Wait... so they're posing as a security firm and exploited a system and shared it with third-parties? Sounds like cyber crime to me or am I completely misreading this?
  • 13 Hide
    Pyroflea , June 9, 2010 11:10 PM
    Omg, worst name for a group ever.

    Think this will have any effect on iProduct sales? Think anybody will even realize what happened? I vote no.
  • -1 Hide
    wintermint , June 9, 2010 11:10 PM
    Wow.. Steve Jobs got his other foot shot.. poor bastard..
  • 3 Hide
    ThisIsMe , June 9, 2010 11:25 PM
    So all they got was an email address from this.

    They wrote a script to speed the guessing of the ICC-ID's and to make an auto attempt at getting an email address back from the server. Before the exploit was fixed they 114,000 "email addresses"

    No names. No other numbers. Just email addresses. Then they shared the list of email addresses that they had obtained illegally with "others"? So, they should be looking at some serious jail time here if only just for the new "anti-spam" laws that have been passed.
  • 6 Hide
    vabeachboy0 , June 9, 2010 11:31 PM
    AT&T The worlds fastest 3g FAILURE
  • 0 Hide
    nforce4max , June 9, 2010 11:52 PM
    They should include this in the fine print when idiots sign up for their sky high priced plans.
  • 4 Hide
    borisof007 , June 10, 2010 12:13 AM
    goatseanalstretchgoatse security? sounds like they just need to patch that 'security hole', but that's a stretch. lol i win.


    +10000
  • 0 Hide
    Anonymous , June 10, 2010 12:25 AM
    Maxor127Wait... so they're posing as a security firm and exploited a system and shared it with third-parties? Sounds like cyber crime to me or am I completely misreading this?


    Yah that's what went through my head initially, if they're a security firm why in the world would they turn around and exploit the security flaw they themselves had discovered. Its like me going into a store through a back door that should have been locked, stealing everything in the store, then later telling the owner "oh by the way I stole things from you".
  • -1 Hide
    sdm004 , June 10, 2010 1:12 AM
    Come on Tom's! I saw this article headlined on DRUDGEREPORT.COM this morning...don't get left behind!
  • 0 Hide
    dark_knight33 , June 10, 2010 3:29 AM
    goatseanalstretchgoatse security? sounds like they just need to patch that 'security hole', but that's a stretch. lol i win.


    Epic Win.
  • 0 Hide
    Sihastru , June 10, 2010 6:09 AM
    And yet you found a way to turn this into an advert for the iPad, by quoting in the last paragraph a few heavy names from the so called "A-list".

    If you got hacked, you're in good company, you're part of an elite group of individuals, you're on the "A-list", no need to be angry at AT&T or Apple for anything. This is a "good" thing. You've just been promoted from a B-grade parasite to an A-grade individual.

    Gotta love the internet.
  • -2 Hide
    iokau , June 10, 2010 6:25 AM
    Oh 4chan, you so crazy.
  • -1 Hide
    dEAne , June 10, 2010 7:42 AM
    This things we never want to happen.
  • 0 Hide
    TomD_1 , June 10, 2010 11:27 AM
    The name must be a typo, or a joke or something? Calling your company Goatse Security is just asking for trouble
  • 1 Hide
    CChick , June 10, 2010 12:11 PM
    This is what those "I got Apple stuff Im above the others" morons deserves
Display more comments