Print 17 comment(s) - last by piroroadkill.. on Jun 15 at 4:42 AM

Sorry we let your email leak. Love, AT&T  (Source: Boy Genius Report)

Some members of the Goatse Security team, such as Sam Hovecar, reside outside the U.S., which could hinder possible prosecution efforts.  (Source: Wikimedia Commons)
FBI may have trouble prosecuting the Goatse Security team given how easy the info was available

AT&T's iPad 3G customers may soon be getting a lot more spam.  Last week, security analysts with Goatse Security exploited AT&T's overly permissive web interface to obtain 114,000 email addresses of iPad 3G buyers, including a host of A-list politicians, military officials, business chiefs, and celebrities.  Goatse Security previously indicated that it may have disclosed the flaw to interested third parties before it was closed, raising the likelihood that malicious parties may have harvested iPad owners' emails for spamming or other ill purposes.

On Sunday, AT&T’s VP of public policy and Chief Privacy Officer Dorothy Attwood today sent out an apology email to all of AT&T’s iPad 3G data plan subscribers.

In the email Attwood writes, "We apologize for the incident and any inconvenience it may have caused.  Rest assured, you can continue to use your AT&T 3G service on you iPad with confidence."

Later in the email, AT&T warns customers to be on the lookout for new spam emails.  They write, "While the attack was limited to email addresses and ICC-ID data, we encourage you to be alert to scams that could attempt to use this information to obtain other data or send you unwanted email.  You can learn more about phishing by visiting the AT&T website."

One interesting thing about the letter is its characterization of the Goatse Security analysts as "hackers" and the breach as an "attack".  AT&T also writes in a letter that the attack was "malicious", despite the fact that Goatse Security purportedly informed AT&T of the hole.

AT&T is cooperating with the Federal Bureau of Investigation to investigate the breach.  The investigation could yield criminal charges against the Goatse Security analysts, if they reside in the U.S.  In AT&T's letter it says that it does not tolerate leaking of personal information and will "prosecute violators to the fullest extent of the law."

In the case of Goatse Security, one thing that may hinder criminal charges is just how easy to find the information was.  The only "hack" of any sort Goatse Security had to engage in was to send AT&T's web application a request header that looked like it came from an iPad.  Sending fake request headers is nothing new, and not particularly illegal.  For example, many smartphones have the option to set your request header to either indicate you're on mobile phone, or to spoof websites to think you're on a PC and display the normal website.

With the easy-to-make iPad header in place, Goatse ran an extremely simple PHP script to guess a variety of ICC-ID numbers and store the resulting emails.  Harvesting private information that's accidentally exposed is a gray area of the law (
abusing such info is obviously a crime, though, under various laws, such as anti-spamming legislation).  Since Goatse did not break into password-protected systems or conduct any sort of serious attack on AT&T's servers, it's hard to say whether AT&T and the FBI will be able to successfully prosecute the team.

Goatse Security has issued a response, in which it argues that iPad owners had a right to know about this security flaw and that it did nothing wrong.  It writes:

This disclosure needed to be made. iPad 3G users had the right to know that their email addresses were potentially public knowledge so they could take steps to mitigate the issue (like changing their email address). This was done in service of the American public. Do you really think corporate privacy breaches should stay indefinitely secret? I don’t. If you’re potentially on a list of exploit targets because someone has an iPad Safari vulnerability and they scraped you in a gigantic list of emails it is best that you are informed of that sooner than later (after you’ve been successfully exploited). We did this to help you.

Another thing that could complicate prosecution is that the Goatse team appears to at least be partially be based out of France.  A WhoIS lookup on the domain (security.) reveals that it is hosted by a French registrar by the name of "GANDI" which resides in Paris (the company's contact email and phone number appear to be included in the registration).  Gandi's website can be found here and appears to offer hosting and security services.

Combining information provided by the team page on the Goatse Security site and simple Google name searches, we discovered that a couple of the team members indeed reside in the U.S. --Escher Auernheimer (Calif.), Christopher Abad (Calif.).  Others -- such as Sam Hocevar (France) -- reside outside the country.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Just Plain Silly
By transamdude95 on 6/14/2010 9:52:28 AM , Rating: 2
This is ridiculous of AT&T... yeah, let's attack the people who made us aware of our of our gross negligence in safeguarding customers' data.

The only reason AT&T will attempt to go after these people is because they've lost face (like they had much to begin with).

RE: Just Plain Silly
By JasonMick on 6/14/2010 9:55:03 AM , Rating: 5
You can learn more about phishing by visiting the AT&T website.

Did anyone else find that sentence in AT&T's apology letter particularly ironic?

RE: Just Plain Silly
By Mitch101 on 6/14/2010 10:14:28 AM , Rating: 5

AT&T ruins the iPhone as a Phone and now they are ruining Apple user privacy with the iPad.

AT&T its not the network its the lack of service and security.

RE: Just Plain Silly
By Ravynmagi on 6/14/2010 10:05:26 AM , Rating: 2
This is ridiculous of AT&T... yeah, let's attack the people who made us aware of our of our gross negligence in safeguarding customers' data.

I think it's fair of AT&T to call them "hackers" and "malicious". They did pull the data on over 100,000 people. You certainly don't need that many examples to confirm your security test.

And giving out the information to third parties before notifying AT&T certainly seems malicious to me.

RE: Just Plain Silly
By cochy on 6/14/10, Rating: 0
RE: Just Plain Silly
By Motley on 6/14/10, Rating: 0
RE: Just Plain Silly
By TSS on 6/14/2010 11:04:08 AM , Rating: 1
Bull. If i was malicious and i found an extremely simple hack which gives large bounty i would keep my mouth shut, sell off the first batch wait a month see if something happens and then use it again to make more money.

The last thing i would do is make it public. Thats what these guys did, and they must have known the feds would be looking into it after they did. If they sold the emails then made it public... well then their stupid criminals yes, i wouldn't rule that out either.

But the point is, AT&T obviously doesn't care enough to even offer a basic level of security. Or apple. Both, probably. And this doesn't change unless you publicly expose them. That costs them business, hurts their bottom line and is often the only talk they understand.

I'd fine AT&T $1000 per email released because of their incompetent security policies. If goatse made any money off of this somehow, i'd say spoils of war. Then where's the justice for the consumer? A valuable lesson that says Not every network is as secure as they say they are.

RE: Just Plain Silly
By redbone75 on 6/14/2010 1:16:12 PM , Rating: 2
Then where's the justice for the consumer? A valuable lesson that says Not every network is as secure as they say they are.

You actually want to talk about justice for the consumer when you would admittedly profit off malicious activity? Enabling spammers is just as malicious as spamming, and any schmuck that would sell innocent consumers' email addresses to spammers deserves just as big a punishment as the spammers do. If your goal is to try to force AT&T to improve their security measures, then warn them about the flaw. If they do nothing, threaten to publish the flaw, and if they still do nothing then follow up on the threat (just be prepared to deal with the consequences). Do not, however, publish or sell the data gathered from the flaw. Makes you no better than the sleazy @$$h0les with far more malicious intent.

I think when independent (legitimate) companies find gaping security holes like this in large, publicly traded communications companies then the FTC and FCC should be the entities that are responsible for investigating formal complaints. If they don't want to increase their security of their own accord, then the threat of fines should.

RE: Just Plain Silly
By AEvangel on 6/14/2010 6:49:36 PM , Rating: 2
I'd fine AT&T $1000 per email released because of their incompetent security policies.

After reading your entire post that is about the only part of it that makes sense to me.

Goatse should be punished "IF" they released any of the emails to a third party. If they just happened upon the flaw in At&t security and then notified At&t customers and perhaps some 3rd party news websites that would sufficent.

However the idea that it's spoils of war? That really makes me want to dismiss your entire post as naive ramblings.

RE: Just Plain Silly
By hughlle on 6/14/2010 11:57:17 AM , Rating: 2
other than the fact that they did not publish the emails..

RE: Just Plain Silly
By dj LiTh on 6/14/2010 6:47:37 PM , Rating: 2
AT&T epic fail

Let me get this straight...
By IcePickFreak on 6/14/2010 2:48:38 PM , Rating: 4
You're saying that Goatse Security found a backdoor, and it was wide-open?

I'll pass on lunch today.

By piroroadkill on 6/15/2010 4:42:41 AM , Rating: 2
It was not only wide open, but then penetrated and exposed to the world.

By Divineburner on 6/14/2010 9:48:14 AM , Rating: 2
Goatse Security has issued a response, in which it argues that iPad owners had a right to now about this security flaw and that it did nothing wrong.

They sure know about it now ;)

Malicious or not?
By XtremeM3 on 6/14/2010 9:58:28 AM , Rating: 2
I am all for exposing security flaws, however the moment you put someone's e-mail address out to the public you lose "high and mighty" status IMHO. Sure, make a public announcement, contact AT&T, but what about John Doe having his e-mail address blasted out all over the interwebs for the sake of sensationalizing your story?

Yes, it was careless of AT&T. But I fail to see the good intent of making 114k e-mail addresses public other to make your story more popular. If I was one of the 114k I would be pissed at AT&T but also at those responsible for my e-mail address actually landing on a list made public knowledge that countless people are going to want to have fun with.

By CestNul on 6/14/2010 11:45:52 AM , Rating: 2
an individual by the name of "GANDI"

Gandi is a French registar. Hardly an individual.

Internet Superhero
By Runiteshark on 6/14/2010 10:33:55 PM , Rating: 1
Clearly a Superhero.

Look at that guy. Look at the name of the company. Epic.

I'm glad that there are people trying to show just how shitty ATT is.

"A lot of people pay zero for the cellphone ... That's what it's worth." -- Apple Chief Operating Officer Timothy Cook

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Inspiron Laptops & 2-in-1 PCs
September 25, 2016, 9:00 AM
Snapchat’s New Sunglasses are a Spectacle – No Pun Intended
September 24, 2016, 9:02 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki