backtop


Print 38 comment(s) - last by Quadrillity.. on Jun 11 at 4:13 PM


Our suggestion to iPad 3G owners: strengthen your passwords and purchase a good spam filter (sound advice in general, though...).  (Source: The Official Schipul Blog)

White House Chief of Staff Rahm Emanuel was one of the over 100,000 iPad 3G customers affected by AT&T's breach  (Source: Reuters)
Apple can't be happy with AT&T's epic security fail

In what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers according to Gawker.  The email addresses were obtained in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed.

The names of victims immediately draw attention to the story.  Among them are New York Times Co. CEO Janet Robinson, Diane Sawyer of ABC News, film mogul Harvey Weinstein, New York City Mayor Michael Bloomberg, and even White House Chief of Staff Rahm Emanuel.  A number of CEOs, CFOs, and CTOs also had their email addresses exposed by the leak.

Additionally, a number of the email addresses exposed were from high-ranking military officials or DARPA researchers.  Among these was William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."

Every one of these individuals and thousands of other everyday people had their email addresses and corresponding ICC-IDs (integrated circuit card identifiers) leaked.  The ICC-ID is a number used to uniquely identify SIM cards for a particular subscriber's device.

How did Goatse get this treasure trove of data?  Apparently AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber.  This apparently was intended for an AJAX-style response inside AT&T's web apps.  

The complete lack of protections allowed the group to freely guess ICC-IDs based on known IDs from iPad pictures posted online, and in turn harvest the resulting email addresses.  The only "trick", if you could call it that, which they had to do was to spoof the site into thinking they were using a iPad browser by adding an iPad-style "User agent" header in their Web request.

A simple PHP script later, Goatse Security had a hoards of email addresses to sift through.  And here's the kicker -- before reporting this gaping hole to AT&T, they shared the exploit with various interested parties.  So there's no telling who else used it, how many more IDs were leaked, or what other damage could have resulted.

With the ICC-ID and unique email in hand, malicious parties could easily launch mass attacks to try to gain further access.  For example, it's likely that at least one of those email addresses with the password "darthvader" would return account access.

This huge breach is likely worrisome to those who are thinking of buying an iPad 3G – most people would prefer their personal email address 
not get shared with the masses.  The only consolation here, is that if your password is sufficiently strong and your email address does not hint at your identity, the leak might not be that big a deal (other than subjecting you to a bit of extra spam).

Apple, which has already hinted at its displeasure with AT&T on certain issues, certainly can't be thrilled about this development either.  It releases a hit new product, and now thanks to the service provider over a hundred thousand of its customers have had their personal information compromised.  Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled, but by now the damage is probably already done.  One thing's for sure.  There's going to be 
a lot of fallout from this incredible breach.

Updated: 6:35 p.m. June 9, 2010-

We just received the following official statement from an AT&T spokesperson:

AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.  The person or group who discovered this gap did not contact AT&T.  We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.  At this point, there is no evidence that any other customer information was shared.    We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

please
By Connoisseur on 6/9/2010 6:21:35 PM , Rating: 5
tell me this was intentional: "Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled, but by now the damage is probably already done. "




RE: please
By JasonMick (blog) on 6/9/2010 6:29:04 PM , Rating: 2
Well he does claim to be pretty good at filling in holes of various natures, be they routes iPhone root access

http://www.dailytech.com/Apple+Kills+Jailbreaking+...

or ...err otherwise...

http://www.dailytech.com/Suicides+Stolen+iPhones+F...


RE: please
By MrBlastman on 6/10/2010 8:54:41 AM , Rating: 4
He is _excellent_ at filling holes, the holes in his customers behinds as he rapes them for everything they are worth...

Oh, and humorously enough, thank you Jason for pointing out that Rahm is one of the doflatches that wasted money on an ipad. It makes me feel all warm and happy inside knowing we've got an i-drone in the upper echelon of our Government wasting his own money while he's helping make decisions on how the nation spends theirs.


RE: please
By Breathless on 6/10/2010 9:05:24 AM , Rating: 2
Take that Rahmy


RE: please
By YashBudini on 6/10/2010 1:01:37 AM , Rating: 2
I thought he has a great sex life. Gaping holes are just another opportunity.


Holes
By monomer on 6/9/2010 6:16:28 PM , Rating: 5
I would like to thank Jason for his choice of Hole picture that he used, instead of the much more obvious choice considering the name of the group that published the emails.




RE: Holes
By inperfectdarkness on 6/10/2010 6:10:09 AM , Rating: 3
but if he used that picture, this article would be banned on the iphone, and now apparently, windows 7 based phones as well....


RE: Holes
By acase on 6/10/2010 1:04:10 PM , Rating: 2
Yes, and I don't know about you, but I was careful to inspect every link before clicking it...


Double Standards
By Tony Swash on 6/10/10, Rating: 0
RE: Double Standards
By theapparition on 6/10/2010 11:07:50 AM , Rating: 3
quote:
The anti-Apple stuff at Daily Tech, playing up everything that could possible link Apple to something negative, is getting tired.

Last I checked, no one was holding a gun to your head. don't like it, move along.

And the google story was covered many times here on DT, so get a life.


RE: Double Standards
By Smilin on 6/10/2010 12:57:15 PM , Rating: 4
Tony you're an Apple shill. Your daily pro-Apple blathering is what is really getting tiresome here.

The whole "anti" stuff in this article was directed at AT&T so settle down, kick your feet up, and have a nice glass of Jobs Kool-aid m'kay?


RE: Double Standards
By ClownPuncher on 6/10/2010 2:14:41 PM , Rating: 3
Damn, Tony Swashtika.


Good Headline - Misleading Article
By gw307 on 6/9/2010 6:33:11 PM , Rating: 3
The headline is nice and accurate, but the rest of the article is really fuzzy regarding the extent of the breach. It's reported by Gawker that email "addresses" were revealed, not personal emails, i.e., messages.

Example: In what is one of the biggest leaks of emails in recent history, a group called Goatse Security has published the personal emails of 114,067 iPad 3G purchasers according to Gawker. The emails were obtained in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed.




By Brandon Hill (blog) on 6/9/2010 6:35:43 PM , Rating: 2
Corrected


Goatse Security?
By 4GEG98 on 6/9/2010 7:18:49 PM , Rating: 2
The article makes no mention of Goatse Security beyond stating they broadcast the personal emails of tons of people, many of whom are members of the federal government.

What steps are being taken in investigating Goatse Security and what could happen to them if they're found?




RE: Goatse Security?
By flatrock on 6/9/2010 7:58:22 PM , Rating: 3
quote:
The article makes no mention of Goatse Security beyond stating they broadcast the personal emails of tons of people, many of whom are members of the federal government.


They didn't broadcast an personal data. They did let others know that AT&T had a script available on a public web site that they shouldn't have. The nice thing to do would to have informed AT&T of their mistake and let them fix it before gloating about finding this, and keeping the actual email addresses to themselves. However, I doubt they broke any laws be retreiving data that AT&T made publicly available.


And yet...
By raumkrieger on 6/9/2010 7:01:50 PM , Rating: 2
With all the recent news stories like this that give intelligent consumers several reasons to avoid Apple and/or AT&T entirely, why are people still buying their crap?




RE: And yet...
By Shadowself on 6/9/2010 10:26:17 PM , Rating: 2
They are buying Apple equipment because they like the interface or they "like the shiny". Buying (or better yet, not buying) Apple products has virtually nothing to do with this event.

You should actually read the article and other related documentation. This is 100% an AT&T screw up. It could just as easily have been a non Apple smart phone that AT&T supports.

If there were not enough reasons to avoid AT&T here's one more.


Too bad...
By BigToque on 6/9/2010 7:30:06 PM , Rating: 4
If AT&T wasn't so good at pissing people off, perhaps the person who found this issue might have just reported it instead of letting everyone know about it.




It's a FEATURE!!
By marvdmartian on 6/10/2010 9:07:33 AM , Rating: 3
AT&T, where you can make a phone call, surf the internet, and get spammed, all at the same time!

I challenge Verizon to match that!! ;)




Apple's breach?
By JimboK29 on 6/10/2010 7:56:47 AM , Rating: 2
Threatcore News is headlining this as an Apple Breach. Gawker broke this story from what it looks like.




Great story or greatest story
By piroroadkill on 6/10/2010 9:51:59 AM , Rating: 2
It's up there with the best.

Goatse Security. Utterly fantastic.




Really?
By Goty on 6/9/2010 10:54:23 PM , Rating: 1
Goatse? Gaping holes? Please tell me I'm not the only one who sees this.




By ChipDude on 6/10/2010 1:57:20 AM , Rating: 1
LOL, can't wait to see what Jobs says about this.

No Flash because its a stability and security risk

But its okay to stay with ATT even though the drop calls, have slow connections and secuity issues.

Go Android Go, the masses want a choice.

Anyone remember the 1984 commercial? Who is big brother these days controlling everything from software to what runs on your iTOY?

Jobs is that guy in the commercial and all them iLovers them dumb sheep sitting and lapping it up!




HAHAHAH
By FaceMaster on 6/9/10, Rating: -1
RE: HAHAHAH
By Kragoth on 6/9/2010 7:35:39 PM , Rating: 2
The "Reading and Comprehension Boss" hits you for over 9000.
Or if you prefer it a different way.
You failed at reading and comprehending the article, try again.

The ONLY thing Apple had to do with this is that it was related to customers that had purchased an iPad. (Obviously a mistake, but not Apple's fault. :P j/k)
Other then that it has everything to do with AT&T and nothing to do with Apple.


RE: HAHAHAH
By FaceMaster on 6/10/10, Rating: 0
RE: HAHAHAH
By hughlle on 6/10/2010 6:45:04 AM , Rating: 2
god you're a loser


RE: HAHAHAH
By FaceMaster on 6/10/2010 9:56:24 AM , Rating: 1
No I'm not, I have opened my eyes to the world. You probably think that countries are run by governments and that you go about, working and trying to help the economy. Well guess what- you need to wake up. Reptilian shape-shifters from another dimension rule the world and come 2012 you'll see that it is true. Is it any coincidence that the year Windows 8 is released also happens to be 8 years behind the supposed 'Singularity' ? Planet X is moving towards us as we speak and the end of the world as we know it approaches. The illuminatii has a powerful grasp on the world, that is why I am posting this under a fake username. I travel the internet behind 7 proxies using a cracked copy of Windows XP so that they do not have any trace of where I live. You should do the same unless you want to be taken in the night by the reptiles that rule the world. They will suck out (what is left of) your brain and will turn you into Ryptoks, doomed to serve them for all eternity in HELL. Apple is the one true force of good, as it fights against the popular trends. Buying an Ipod is the sign of being unique and clever, since it is years ahead of the rest of the industry. The illuminatii spread lies and hate towards Apple because of this, and most of this website has been brainwashed by the lies. Hear me, brother, and we can head towards the promised lands and away from the world which will be consumed by fire in a final judgement day... in 2 years' time.


RE: HAHAHAH
By mydogfarted on 6/10/2010 10:25:32 AM , Rating: 2
You're, not YOUR.
you're = you are

Signed,
Spelling Fanboy. Spelling r gud.


RE: HAHAHAH
By FaceMaster on 6/10/2010 11:37:32 AM , Rating: 1
quote:
Spelling r gud


...fail much?


RE: HAHAHAH
By Quadrillity on 6/10/2010 11:44:20 AM , Rating: 2
Wow you really are that stupid huh? You better get off the internet before your 8th grade teacher finds out that you aren't doing your math worksheet!


RE: HAHAHAH
By FaceMaster on 6/10/2010 6:18:26 PM , Rating: 2
I tried telling him but he just won't listen!


RE: HAHAHAH
By Quadrillity on 6/11/2010 9:07:38 AM , Rating: 2
FaceMaster, I'll take this as a horrible attempt at internet sarcasm; because no-one is this stupid (at least I hope to God not).


RE: HAHAHAH
By FaceMaster on 6/11/2010 2:35:58 PM , Rating: 2
I'm not stupid, I'm just reflecting the views of the general populace!


RE: HAHAHAH
By Quadrillity on 6/11/2010 4:13:09 PM , Rating: 2
quote:
I'm not stupid, I'm just reflecting the views of the general populace!


Sadly enough, the general population is stupid; but you still don't get what's going on in this thread lol. Just give up...


RE: HAHAHAH
By callmeroy on 6/11/2010 12:07:06 PM , Rating: 2
Well he would have to exert A LOT more effort to fail as much as you....

Come to think of it..EVERYONE would....


"I want people to see my movies in the best formats possible. For [Paramount] to deny people who have Blu-ray sucks!" -- Movie Director Michael Bay














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki