Massive AT&T Breach Exposes A-Listers' iPad Data
A huge AT&T security breach has put more than 100,000 iPad owners at risk.
Gawker's Ryan Tate writes that based on information he received from a Web security firm, 114,000 people, some of them big name executives and government officials, are affected by an AT&T security breach.
Tate reports that a group called Goatse Security obtained subscriber data through a script on AT&T's website. All that was required was the iPad's ICC-ID (integrated circuit card identifier), the unique number attached to each subscriber's SIM card:
"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC-IDs by looking at known iPad 3G ICC-IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites."
Though the firm warned AT&T of the vulnerability, Goatse wrote a PHP script to harvest the data and this was shared with third-parties before AT&T closed the security hole. A member told Gawker it's likely many accounts beyond the 114,000 have been compromised because it isn't known whose hands the exploit fell into and what they did with the names they obtained.
The breach is said to have exposed "the most exclusive email list on the planet" as early adopters of the Apple tablet include A-listers in finance, politics and media. Among the 114,000 are NYT CEO Janet Robinson, Harvey Weinstein, Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and Diane Sawyer of ABC News.
Read the full story on Gawker.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
-
goatse security? sounds like they just need to patch that 'security hole', but that's a stretch. lol i win.Reply
-
Ragnar-Kon Yet another AT&T fail.Reply
...although I'm gonna bet that Goatse wished they hadn't shared that information to 3rd party sites. AT&T will probably drop the legal hammer of doom soon. -
Maxor127 Wait... so they're posing as a security firm and exploited a system and shared it with third-parties? Sounds like cyber crime to me or am I completely misreading this?Reply -
Pyroflea Omg, worst name for a group ever.Reply
Think this will have any effect on iProduct sales? Think anybody will even realize what happened? I vote no. -
ThisIsMe So all they got was an email address from this.Reply
They wrote a script to speed the guessing of the ICC-ID's and to make an auto attempt at getting an email address back from the server. Before the exploit was fixed they 114,000 "email addresses"
No names. No other numbers. Just email addresses. Then they shared the list of email addresses that they had obtained illegally with "others"? So, they should be looking at some serious jail time here if only just for the new "anti-spam" laws that have been passed.