Print 38 comment(s) - last by Quadrillity.. on Jun 11 at 4:13 PM

Our suggestion to iPad 3G owners: strengthen your passwords and purchase a good spam filter (sound advice in general, though...).  (Source: The Official Schipul Blog)

White House Chief of Staff Rahm Emanuel was one of the over 100,000 iPad 3G customers affected by AT&T's breach  (Source: Reuters)
Apple can't be happy with AT&T's epic security fail

In what is one of the biggest leaks of email addresses in recent history, a group called Goatse Security has published the personal email addresses of 114,067 iPad 3G purchasers according to Gawker.  The email addresses were obtained in what appears to be a legal fashion by querying a public interface that AT&T accidentally left exposed.

The names of victims immediately draw attention to the story.  Among them are New York Times Co. CEO Janet Robinson, Diane Sawyer of ABC News, film mogul Harvey Weinstein, New York City Mayor Michael Bloomberg, and even White House Chief of Staff Rahm Emanuel.  A number of CEOs, CFOs, and CTOs also had their email addresses exposed by the leak.

Additionally, a number of the email addresses exposed were from high-ranking military officials or DARPA researchers.  Among these was William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."

Every one of these individuals and thousands of other everyday people had their email addresses and corresponding ICC-IDs (integrated circuit card identifiers) leaked.  The ICC-ID is a number used to uniquely identify SIM cards for a particular subscriber's device.

How did Goatse get this treasure trove of data?  Apparently AT&T left a script on their public website, which when handed an ICC-ID would respond back with the email address of the subscriber.  This apparently was intended for an AJAX-style response inside AT&T's web apps.  

The complete lack of protections allowed the group to freely guess ICC-IDs based on known IDs from iPad pictures posted online, and in turn harvest the resulting email addresses.  The only "trick", if you could call it that, which they had to do was to spoof the site into thinking they were using a iPad browser by adding an iPad-style "User agent" header in their Web request.

A simple PHP script later, Goatse Security had a hoards of email addresses to sift through.  And here's the kicker -- before reporting this gaping hole to AT&T, they shared the exploit with various interested parties.  So there's no telling who else used it, how many more IDs were leaked, or what other damage could have resulted.

With the ICC-ID and unique email in hand, malicious parties could easily launch mass attacks to try to gain further access.  For example, it's likely that at least one of those email addresses with the password "darthvader" would return account access.

This huge breach is likely worrisome to those who are thinking of buying an iPad 3G – most people would prefer their personal email address 
not get shared with the masses.  The only consolation here, is that if your password is sufficiently strong and your email address does not hint at your identity, the leak might not be that big a deal (other than subjecting you to a bit of extra spam).

Apple, which has already hinted at its displeasure with AT&T on certain issues, certainly can't be thrilled about this development either.  It releases a hit new product, and now thanks to the service provider over a hundred thousand of its customers have had their personal information compromised.  Apple CEO Steve Jobs surely won't rest until AT&T's gaping hole is filled, but by now the damage is probably already done.  One thing's for sure.  There's going to be 
a lot of fallout from this incredible breach.

Updated: 6:35 p.m. June 9, 2010-

We just received the following official statement from an AT&T spokesperson:

AT&T was informed by a business customer on Monday of the potential exposure of their iPad ICC IDS. The only information that can be derived from the ICC IDS is the e-mail address attached to that device. This issue was escalated to the highest levels of the company and was corrected by Tuesday; and we have essentially turned off the feature that provided the e-mail addresses.  The person or group who discovered this gap did not contact AT&T.  We are continuing to investigate and will inform all customers whose e-mail addresses and ICC IDS may have been obtained.  At this point, there is no evidence that any other customer information was shared.    We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By FaceMaster on 6/9/2010 6:59:46 PM , Rating: -1
This latest MAJOR SLIP UP by Apple just shows how much they suck as a company. I can't believe that their OS got a virus that leaked the emails stored on the system! This is proof that Apple isn't virus-free and that they're stupid enough to leave the email addresses lying around like that. No other company other than APPLE could do such a thing!

By Kragoth on 6/9/2010 7:35:39 PM , Rating: 2
The "Reading and Comprehension Boss" hits you for over 9000.
Or if you prefer it a different way.
You failed at reading and comprehending the article, try again.

The ONLY thing Apple had to do with this is that it was related to customers that had purchased an iPad. (Obviously a mistake, but not Apple's fault. :P j/k)
Other then that it has everything to do with AT&T and nothing to do with Apple.

By FaceMaster on 6/10/10, Rating: 0
By hughlle on 6/10/2010 6:45:04 AM , Rating: 2
god you're a loser

By FaceMaster on 6/10/2010 9:56:24 AM , Rating: 1
No I'm not, I have opened my eyes to the world. You probably think that countries are run by governments and that you go about, working and trying to help the economy. Well guess what- you need to wake up. Reptilian shape-shifters from another dimension rule the world and come 2012 you'll see that it is true. Is it any coincidence that the year Windows 8 is released also happens to be 8 years behind the supposed 'Singularity' ? Planet X is moving towards us as we speak and the end of the world as we know it approaches. The illuminatii has a powerful grasp on the world, that is why I am posting this under a fake username. I travel the internet behind 7 proxies using a cracked copy of Windows XP so that they do not have any trace of where I live. You should do the same unless you want to be taken in the night by the reptiles that rule the world. They will suck out (what is left of) your brain and will turn you into Ryptoks, doomed to serve them for all eternity in HELL. Apple is the one true force of good, as it fights against the popular trends. Buying an Ipod is the sign of being unique and clever, since it is years ahead of the rest of the industry. The illuminatii spread lies and hate towards Apple because of this, and most of this website has been brainwashed by the lies. Hear me, brother, and we can head towards the promised lands and away from the world which will be consumed by fire in a final judgement day... in 2 years' time.

By mydogfarted on 6/10/2010 10:25:32 AM , Rating: 2
You're, not YOUR.
you're = you are

Spelling Fanboy. Spelling r gud.

By FaceMaster on 6/10/2010 11:37:32 AM , Rating: 1
Spelling r gud much?

By Quadrillity on 6/10/2010 11:44:20 AM , Rating: 2
Wow you really are that stupid huh? You better get off the internet before your 8th grade teacher finds out that you aren't doing your math worksheet!

By FaceMaster on 6/10/2010 6:18:26 PM , Rating: 2
I tried telling him but he just won't listen!

By Quadrillity on 6/11/2010 9:07:38 AM , Rating: 2
FaceMaster, I'll take this as a horrible attempt at internet sarcasm; because no-one is this stupid (at least I hope to God not).

By FaceMaster on 6/11/2010 2:35:58 PM , Rating: 2
I'm not stupid, I'm just reflecting the views of the general populace!

By Quadrillity on 6/11/2010 4:13:09 PM , Rating: 2
I'm not stupid, I'm just reflecting the views of the general populace!

Sadly enough, the general population is stupid; but you still don't get what's going on in this thread lol. Just give up...

By callmeroy on 6/11/2010 12:07:06 PM , Rating: 2
Well he would have to exert A LOT more effort to fail as much as you....

Come to think of it..EVERYONE would....

"If you can find a PS3 anywhere in North America that's been on shelves for more than five minutes, I'll give you 1,200 bucks for it." -- SCEA President Jack Tretton

Most Popular ArticlesAre you ready for this ? HyperDrive Aircraft
September 24, 2016, 9:29 AM
Leaked – Samsung S8 is a Dream and a Dream 2
September 25, 2016, 8:00 AM
Yahoo Hacked - Change Your Passwords and Security Info ASAP!
September 23, 2016, 5:45 AM
A is for Apples
September 23, 2016, 5:32 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki