Goatse Security: The iPad simply is not a safe platform for those that require a secure environment

By on Jun 15, 2010 at 8:58 AM
Security June 15, 2010

Screen shot 2010-06-15 at 7.53.59 AM

Goatse Security, the firm who blew the lid off of an exploit that allowed the names and email addresses of over 114,000 iPad owners to be farmed, is speaking out. In a blog post, Goastse team member Escher Auernheimer writes:

I released a semantic integer overflow exploit for Safari through Goatse Security in March– it was patched on Apple’s desktop Safari but has yet to be patched on the iPad. This bug we crafted allows the viewer of a webpage to become a proxy (behind corporate and government firewalls!) for spamming, exploit payloads, password bruteforce attacks and other undesirables. The kicker is that this attack cannot be detected by any current IDS/IPS system. We released this in March, mind you, and Apple still hasn’t got around to patching this on the iPad! I know through personal experience that the patch time for an iPad vulnerability is over two months and counting. Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands. The iPad simply is not a safe platform for those that require a secure environment.

And it doesn’t stop there. Addressing some of the verbiage in AT&T’s apology letter, Auernheimer goes onto say:

AT&T had plenty of time to inform the public before our disclosure. It was not done. Post-patch, disclosure should be immediate– within the hour. Days afterward is not acceptable. [...] AT&T says the person responsible for this went “to great efforts”. I’ll tell you this, the finder of the AT&T email leak spent just over a single hour of labor total (not counting the time the script ran with no human intervention) to scrape the 114,000 emails. If you see this as “great efforts”, so be it.

Auernheimer closes with: “We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare. We understand that good deeds many times go punished, and AT&T is trying to crucify us over this. [...] We did the right thing, and I will stand by the actions of my team and protect the finder of this bug no matter what the cost.” Amen, Escher, Amen. Your move Apple/AT&T.

Read

Tags:
, , , , , , , ,
35 Comments

Related Articles

  • who dat

    But its magical, brilliant, and hackable, woo hoo stevo!

    • Jarrett

      And it’s enough of a device that you can’t keep from commenting about it. Woo hoo

  • Perspective

    Get a clue. . .everything’s hackable.

    “We love America and the idea of the Russians or Chinese being able to subvert American infrastructure is a nightmare.”

    The bigger nightmare is the publicity seeking “security” firms. Thankfully this story is just about played out.

  • http://www.flickr.com/photos/PACMan3000/ Paul A. Chapel

    Yes, their hack on AT&T’s servers was ethical all right and just to celebrate how ethical it is, I’m going to break into my neighbor’s house to demonstrate just how weak his security system is, and when he finds me in his kitchen drinking his beer, I’m sure we’ll have a nice laugh together. I mean, it’s not like I could have just given him a call to tell him about the faulty locks on his doors, right? It’s obviously just better to break in, and then phone the local media to let them know how I did it.

    I’m sure the cops will understand.

    • AusFest

      LOL, I’d make sure you finish all the beer before making that call

    • seven5suited

      Both sides have a bit to apologize for, but in the end, you (as a consumer) will probably benefit from what took place. I think that may be their point, aside from looking for some publicity.

    • yotube

      stupid analogy. and i bet you felt smart after posting that. like as if computer offenses are the same as burglary offenses. if that were the case, the very people who are brilliant enough to find exploits like this would not be landing the triple figure salaries they get with microsoft, antivirus companies, etc. troll somewhere else

      • http://www.smiteahippie.com Smite A. Hippie

        I bet you feel smart in your smug reply too.

        It *is* an equal analogy; finding an exploit is different than committing one.

        Just because I realize my neighbor’s door is unlocked, doesn’t mean I’m justified in going inside his home and copying his personal papers.

    • http://www.flickr.com/photos/PACMan3000/ Paul A. Chapel

      This is how low the Apple Haters have fallen. They’re so desperate to see Apple fail, they’re siding with a group of hackers with the disgusting pic above as a logo.

      Meanwhile, people are lining up outside of stores to PRE-ORDER the iPhone.

      • Doll

        This is how idiotic Apple fans have become. They flame a company who tried to HELP Apple avoid security exploits rather than flaming the company who has been aware of the security issue for months and still hasn’t fixed it. Meanwhile, people are lining up outside of stores to pre-order the iPhone. A bunch of idiots, I tell you.

  • mikes

    I’m still having a hard time believing there is a company named “Goatse” security….I mean, everyone knows what that is right?

    • RattyUK

      And their logo?

    • What

      A gaping hole, right?

    • Bob Dole

      lol, look who owns “goatse security”, it’s the GNAA, a well known trolling organization that got racial epithets on CNN, has caused numerous headaches for wikipedia, and is the proprietor of the “lastmeasure” shock site.

  • Doll

    Smh @ these responses. When Google had a similar security problem, people were up in arms, but because it’s Apple, security issues are “normal” and acceptable? That’s ridiculous. What’s even more ridiculous is the fact that not only did AT&T neglect to inform its customers in a timely manner, but that Apple still hasn’t released a patch after MONTHS. Go figure people praise Apple for making such “secure” products. Go figure.

  • Jay

    Oh snap! Sorry Apple, you are not ready for the corporate world, that is why RIM rules it.

  • hype22

    I will accept all apologies now…..go ahead apple get big and smug,but you truly know your security and vulnerabilities are huge…..att takes the hit again,just like withe flawed antenna on the iphone,my friends have an iphone and they love it but many times i would have service and they wouldn’t,that non scientific approach would tell me antenna and not the socalled network problem …good luck going main stream and away from the hardcore base

  • hype22

    about that logo,someone just took a bite of that apple …….right it was ADAM

  • yoshi

    Neither is Andriod. Matter of fact – out of all mobile devices out there – only the Blackberry meets the requirements for a completely secure environment. It also makes it very difficult to use outside of e-mail.

    (and the individuals who make up ‘goatse’ are unethical and attention whoring ass’s. pun intended).

  • Korger

    I like how they stress (behind corporate and government firewalls!) If corporations and the government aren’t setup to block proxies, then the iPad is the least of their worries.

  • chachi

    If they were so concerned about nation, honor and mom’s apple pie, why did they go to Gawker first with the info, instead of AT&T? By their own admission, the contacted a sensationalist website who then contacted AT&T for comment.

    Not ethical behavior. Sorry. Makes the rest of their claims dubious. While they might engineer exploits for platforms and browsers, there’s no indication that they have found any code that executes inside iOS in a meaningful way. Particularly on unconnected devices.

  • Anonymous

    The iSheep butthurt is palpable.

  • Jake

    Ethics aside, a lot of denial going on.

    Magical tunnel vision indeed.

  • Joe B

    Alot of you are attacking Goatse for this but they demonstrated a serious lack in security that both Apple and AT&T seemed to care less about addressing. Apple knew about this for months and had yet to fix it, and AT&T after discovering this took place waited several days to disclose this information. Goatse gave AT&T time to do the right thing and come forward to their customers, AT&T chose to drag their feet so Goatse forced their hand. And if this was about Google alot of you would be writing vile things about this but because it is negative towards Apple it is a non-issue. Hypocrytes.

    • JeffE

      That’s because it’s a magical, stupendous, wonderfully innovative vulnerability. With copious superlatives, it doesn’t matter what your flaws are.

  • Korger

    Doesn’t this part bother anyone?
    “Given that, the number of parties which probably have active iPad exploits likely numbers in the hundreds, if not the thousands.”
    How do they come to that conclusion unless they released something active in the wild.

    Are they just guessing that someone else wrote a similar exploit that’s in the wild? Or did they just slit their own throat?

    • diableri

      They are guessing that because the exploit was relatively easy… this isn’t rocket science man. Anyone with similar experience could pull this off; and it’s still not fixed.

  • Dara

    “Security firms” like this seem pretty sketchy because of what they do. Despite this, they serve a purpose and there aren’t many ways to do it but the “wrong” way.

    Unfortunately, within big companies, there is an aversion to admitting weakness.

    When somebody contacts them and tells them they’ve got a security problem, they aren’t likely to announce it and in fact they might even ignore it.

    So you have these so-called “white hat” hackers who now know of an exploit and usually it turns out to be something pretty simple that can be turned into a script and accessed by almost anyone.

    So what do you do?

    The large company isn’t doing anything, you don’t have a platform (unless you’re Norton), and if you went to the media with a technical description of a vulnerability all you’d get is blank stares.

    If you go to the media with a claim about hundreds of thousands of emails being stolen then you get somewhere. They still don’t understand the (in)significance, but it’s sensational enough to publish.

    So these guys are definitely seeking publicity, but it’s because they have to, and it’s not the worst thing they could be doing with their expertise.

  • Plazmic

    Goatse = worst professional-wise but funniest logo ever.

  • http://(null) justfinethanku

    dear god, are you really quoting a company with a man stretching out his asshole as thier logo??? is that how far you’ll go for “news”

    this literally makes me physically sick.

    Posted from BGR Mobile (iPhone).

    • Anonymous

      lol, trolled.

  • tdubz

    Sooo I just found out what goatse means and the definition with that picture as their logo makes me strongly second guess anything they say…

  • http://(null) loki

    @Smite A. Hippie,

    agreed, even security books use the same anology when I comes to port scanning.

    The similarity is based on someone probing the networt to find a vulnerability in a system and If found report it or exploit it.

    The same can be said for someone walking down a neighborhood checking the front doors to see if they are locked or unlocked. Of one is found unlocked, then it all depends on the persons actions.

    Posted from BGR Mobile (iPhone).

  • http://mobilereviews.org/ mobile reviews

    Security vulnerability about Unlocking , would not be a good idea. However, the actions of the people or the users do matter a lot.

  • http://www.goatse.bz goatse

    AT&T strike again

blog comments powered by Disqus