Security breach allows hackers to obtain info on 114,000 AT&T iPad owners

By on Jun 9, 2010 at 6:21 PM
Security June 9, 2010

att-ipad-leak

Um, wow. Gawker revealed today that a  group of hackers from Goatse Security (no joke) were recently able to breach AT&T’s servers and obtain confidential user info on a significant amount of AT&T’s iPad 3G users. AT&T eventually patched up the hole in its system after being informed of its existance by Goatse Security, but that was after the confidential information such as email addresses of an estimated 114,067 iPad 3G users — including top level government officials, high-ranking military officers, and Fortune 500 CEOs — were exposed. Here’s how the data was obtained.

When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.

To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.

The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised.

It goes without saying that this is an incredibly serious issue, and is one that most definitely gain more exposure over the coming days. In some ways, we have to wonder what is more concerning: the fact that people outside of the Goatse Security are believed to have accessed the information, or that AT&T knew this happened and did not fess up. Either way, we know which one is the least surprising.

It’s not known whether or not Apple was ever made aware of the situation. Both companies have declined to comment on the matter.

Read

Tags:
, , , , , , , , ,
66 Comments

Related Articles

  • MikeD

    What is wrong with people around here. Its not funny if it happens to any device. I wish the fools who think this is funny would grow up.

    You wouldn’t want this to happen to you. I know some people hate on Apple and think this is funny but its not. The security hole in Adobes products wasn’t funny either. Grow up you dorks. There a line and you crossed it. If you think when this happens to any device/computer/software that it is funny, you are a certified asshole. PERIOD.

    • Weldy

      If you ordered an iPad, you deserved it.

  • Mrwirez

    Apple lost their touch.. they are the NEW Microsoft and AT&T still sucks..

  • Kirk
  • Galen20K

    APPLE FAIL!!! HA! lame ass company.

  • Reggie S

    Do you really think AT&T should say something about this BEFORE they fix the problem and determine if there are any similar holes? Why did that “security” company share this info with other parties instead of going to AT&T 1st and telling them?

    And BGR… why such a negative view on AT&T all the time? Did they wrong you somehow? Are you on Verizon’s payroll? Why not take a hard view on the goobers who used this security flaw to pull all of that information? I see nothing negative in your article about that. Is it because you think it’s OK simply because it put AT&T in a bad light? do you care that little about the thousands of people who’s info was grabbed by those creeps?

    • twest

      Yes AT&T should have done something…you know like reaching out and contacting or warning those possibly affected. A couple of years ago my bank had a small breach that may or may not have affected me and they reached out and called me (and mailed a letter as well) to inform me etc. AT&T is in a negative light because it screws up….alot. Fix the problems instead of glossing them over, or spending the money on stupid commercials..and actors to star in them. They want us to buy their products and services, but fail to provide reliability and/or security for it and our personal information….yeah, sign me up…..NOT!

    • paulold

      AT&T is to blame here. And as a current customer of AT&T and a former Verizon customer, I can tell you that AT&T’s network, while getting better slowly over time, is far worse than Verizon’s. Apple choosing AT&T for the iPhone (and now the iPad) was their worst decision ever, though the ability to surf the web while making a call was something Verizon’s network was not able to handle in the past. I pay AT&T a lot of money to have the ability to make a call or use the internet on my iPhone – and their network is frustrating and disappointing. And yes – this makes people very negative towards AT&T. I love my iPhone – I don’t want to give it up – but I hate the cell phone network it comes with. Someday this bickering will all be a thing of the past when they finally give consumers true broadband internet wherever we go.

  • Dara

    This is the result of AT&T “helping you out” with their AJAX service that sends back an email address. Thanks guys, but maybe having an email address autofill in a webform isn’t something that people needed at the expense of their privacy.

    You have to assume that as of now there is a master list that has iPad ICC-ID tags matched with email addresses.

    These people are now subject to iPad/Apple themed phishing and anyone with an interest in data that belongs to the people behind any of those email addresses now has an incentive to develop malware for the iPad.

    All because AT&T thought it would be “helpful” or “intuitive” if your email address was automatically filled in on their form.

  • DustinC

    1. AT&T didn’t try to “cover anything up”. They admitted there was a security breach and that it was fixed.

    2. Someone seeing your email address is a huge security breach? Come on. Big f’n deal.

    BGR needs to stop trying to feed the AT&T haters on this site with their biased reporting.

    • Rob

      Ok, so post your email address then, if it’s no big deal. Privacy is huge for most people.

  • Ryszard

    “This is an incredibly serious issue,” “confidential user info.” Are we not exaggerating just a little bit here? We’re talking about email addresses, not passwords or any other secure information. Ever received a spam message? Hey, your email address is already out there.

  • tkor

    Last time I knew the iPad belonged to Apple not AT&T. The headline of this article only sheds further light on BGR’s unbelievable bias against AT&T. It’s called an “Apple iPad” not an “AT&T iPad.”

1 2
blog comments powered by Disqus