Um, wow. Gawker revealed today that a group of hackers from Goatse Security (no joke) were recently able to breach AT&T’s servers and obtain confidential user info on a significant amount of AT&T’s iPad 3G users. AT&T eventually patched up the hole in its system after being informed of its existance by Goatse Security, but that was after the confidential information such as email addresses of an estimated 114,067 iPad 3G users — including top level government officials, high-ranking military officers, and Fortune 500 CEOs — were exposed. Here’s how the data was obtained.
When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad “Settings” application.
To make AT&T’s servers respond, the security group merely had to send an iPad-style “User agent” header in their Web request. Such headers identify users’ browser types to websites.
The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it’s not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it’s likely many accounts beyond the 114,000 have been compromised.
It goes without saying that this is an incredibly serious issue, and is one that most definitely gain more exposure over the coming days. In some ways, we have to wonder what is more concerning: the fact that people outside of the Goatse Security are believed to have accessed the information, or that AT&T knew this happened and did not fess up. Either way, we know which one is the least surprising.
It’s not known whether or not Apple was ever made aware of the situation. Both companies have declined to comment on the matter.