Gawker's Ryan Tate writes that based on information he received from a Web security firm, 114,000 people, some of them big name executives and government officials, are affected by an AT&T security breach.
Tate reports that a group called Goatse Security obtained subscriber data through a script on AT&T's website. All that was required was the iPad's ICC-ID (integrated circuit card identifier), the unique number attached to each subscriber's SIM card:
"Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC-IDs by looking at known iPad 3G ICC-IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites."
Though the firm warned AT&T of the vulnerability, Goatse wrote a PHP script to harvest the data and this was shared with third-parties before AT&T closed the security hole. A member told Gawker it's likely many accounts beyond the 114,000 have been compromised because it isn't known whose hands the exploit fell into and what they did with the names they obtained.
The breach is said to have exposed "the most exclusive email list on the planet" as early adopters of the Apple tablet include A-listers in finance, politics and media. Among the 114,000 are NYT CEO Janet Robinson, Harvey Weinstein, Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and Diane Sawyer of ABC News.
...although I'm gonna bet that Goatse wished they hadn't shared that information to 3rd party sites. AT&T will probably drop the legal hammer of doom soon.
Think this will have any effect on iProduct sales? Think anybody will even realize what happened? I vote no.
They wrote a script to speed the guessing of the ICC-ID's and to make an auto attempt at getting an email address back from the server. Before the exploit was fixed they 114,000 "email addresses"
No names. No other numbers. Just email addresses. Then they shared the list of email addresses that they had obtained illegally with "others"? So, they should be looking at some serious jail time here if only just for the new "anti-spam" laws that have been passed.